12782684d8480075ea8ece059fd7a364c46ab53bcf9094e44f5cfccd57d335cb

Analysis

max time kernel
49s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c1dfafc437e8cb6b57dd0729cb39822.exe
Size

1.1MB
MD5

6c1dfafc437e8cb6b57dd0729cb39822
SHA1

92d61dc5bc58d94e3bc1d672e27bfe8133056b8a
SHA256

12782684d8480075ea8ece059fd7a364c46ab53bcf9094e44f5cfccd57d335cb
SHA512

d82a0a86d9dbe499ca3a7b62fbe447272746ae88202479b850701e01b2ea724acf6e8a35be6be04331bbdf37e2769c5d11a70cdf449a599273c533de3eee7638
SSDEEP

24576:d5nQlHDiGRXcIVofrYIfvJWPL1zY7zzXeic8DfNQKpyEeiTbZ:7IH2voT6n08TmOx/l

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	dc.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2600	netsh.exe
2684	netsh.exe
580	netsh.exe
1808	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2520	dc.exe
2028	svchost.exe
1544	dc.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	6c1dfafc437e8cb6b57dd0729cb39822.exe
2316	6c1dfafc437e8cb6b57dd0729cb39822.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	dc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	dc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\dc.exe	6c1dfafc437e8cb6b57dd0729cb39822.exe
File created	C:\Windows\System\svchost.exe	6c1dfafc437e8cb6b57dd0729cb39822.exe
File opened for modification	C:\Windows\System\svchost.exe	6c1dfafc437e8cb6b57dd0729cb39822.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\dc.exe	svchost.exe
File created	C:\Windows\System\xxx1.bak	6c1dfafc437e8cb6b57dd0729cb39822.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2316	6c1dfafc437e8cb6b57dd0729cb39822.exe
2612	powershell.exe
2596	powershell.exe
2520	dc.exe
2520	dc.exe
2316	6c1dfafc437e8cb6b57dd0729cb39822.exe
2028	svchost.exe
804	powershell.exe
1804	powershell.exe
1544	dc.exe
1544	dc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2600	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	29
PID 2316 wrote to memory of 2600	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	29
PID 2316 wrote to memory of 2600	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	29
PID 2316 wrote to memory of 2684	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	31
PID 2316 wrote to memory of 2684	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	31
PID 2316 wrote to memory of 2684	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	31
PID 2316 wrote to memory of 2612	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	33
PID 2316 wrote to memory of 2612	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	33
PID 2316 wrote to memory of 2612	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	33
PID 2316 wrote to memory of 2596	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	35
PID 2316 wrote to memory of 2596	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	35
PID 2316 wrote to memory of 2596	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	35
PID 2316 wrote to memory of 2520	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	37
PID 2316 wrote to memory of 2520	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	37
PID 2316 wrote to memory of 2520	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	37
PID 2316 wrote to memory of 2520	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	37
PID 2316 wrote to memory of 2120	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	40
PID 2316 wrote to memory of 2120	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	40
PID 2316 wrote to memory of 2120	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	40
PID 2316 wrote to memory of 2776	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	42
PID 2316 wrote to memory of 2776	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	42
PID 2316 wrote to memory of 2776	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	42
PID 2316 wrote to memory of 2028	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	44
PID 2316 wrote to memory of 2028	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	44
PID 2316 wrote to memory of 2028	2316	6c1dfafc437e8cb6b57dd0729cb39822.exe	44
PID 2028 wrote to memory of 580	2028	svchost.exe	46
PID 2028 wrote to memory of 580	2028	svchost.exe	46
PID 2028 wrote to memory of 580	2028	svchost.exe	46
PID 2028 wrote to memory of 1808	2028	svchost.exe	48
PID 2028 wrote to memory of 1808	2028	svchost.exe	48
PID 2028 wrote to memory of 1808	2028	svchost.exe	48
PID 2028 wrote to memory of 804	2028	svchost.exe	50
PID 2028 wrote to memory of 804	2028	svchost.exe	50
PID 2028 wrote to memory of 804	2028	svchost.exe	50
PID 2028 wrote to memory of 1804	2028	svchost.exe	53
PID 2028 wrote to memory of 1804	2028	svchost.exe	53
PID 2028 wrote to memory of 1804	2028	svchost.exe	53
PID 2028 wrote to memory of 1544	2028	svchost.exe	54
PID 2028 wrote to memory of 1544	2028	svchost.exe	54
PID 2028 wrote to memory of 1544	2028	svchost.exe	54
PID 2028 wrote to memory of 1544	2028	svchost.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c1dfafc437e8cb6b57dd0729cb39822.exe
"C:\Users\Admin\AppData\Local\Temp\6c1dfafc437e8cb6b57dd0729cb39822.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:2600
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System\dc.exe
  "C:\Windows\System\dc.exe" /D
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Windows security modification
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Windows\system32\schtasks.exe
  schtasks /delete /TN "Timer"
  2⤵
  PID:2120
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:2776
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:580
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\System\dc.exe
    "C:\Windows\System\dc.exe" /D
    3⤵
    - Modifies security service
    - Executes dropped EXE
    - Windows security modification
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1544

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2344

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hjxvbvv

Filesize
108KB

MD5
07232b64be72593980cd952e8f85017e

SHA1
61dba57cc51f4501ace3520e2cf559d8e42e04d7

SHA256
ef342bcc3c938c2fa9b38bc84019d8dce94d018372f7d9c29a8ee7ff3f0fc3a8

SHA512
d5417f270e14fe3437c0d017e037117001377379475531b70f9d6840548dd830117fbf62c152c9af09f586bdf944edac330bc560cca4fa45105269319e7158cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
028b19e1330b70f8ffe852f05cc18590

SHA1
d98a81ecfa7eeac3f325edae7fc0613ccef7461f

SHA256
81be1b8a88d51d15c9a8c21d9f601483a7595f90262a4d521ec0de2c740e3690

SHA512
463450e61727b2c13a4b77557a4053c9d34741eba4af9add5ae51c8cc77bb2483041c559ebd7db15e3ef1e9dfe779e1d53a60de49626b1abd8a962596ab6cba2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O5V8MN1C7X5Y8LBFMBZN.temp

Filesize
7KB

MD5
4b4ae43632a13c23b709a1a81c07b143

SHA1
972a38f36e0edd20378afaa0c2db4989c14ebd16

SHA256
879bf2ef8ce83e4aa54798185af512cc23f9154c577aa59537112fd554fb5922

SHA512
7e15746eb7e0ca0bb8d301740626cc65be2a588bef0b21e0a9a8ac59ea805a827b1dee6e0ca228bf6650404dd2420bfb16e7d7ec1dfde548767f6e39e99bf8cf

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
160B

MD5
58f8eb09a822c09fc11f5a42baae36f1

SHA1
9e7063eeee62c8588e0020bef3a116e9379966aa

SHA256
6509c7fc4fa70391399831bbc3d66206d3f6f8f2bb20ffcac4e04844861d733a

SHA512
53806780934bd86bb032ee4a515dfc0e8464a5ecc5f4c8c593304fcd969c1058d443bdec54e7ae21469adb942b16693cc9eaf997217adc69d3618ab0ec99dc1e

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\System\dc.exe

Filesize
640KB

MD5
6578c690e27d738a171d8a3048b4edee

SHA1
ea9990d26769e037a527dd7d926bc568ab9be987

SHA256
ec44d62bcbb98f9974f4db44d0042dac8c997ab2a850e4854a6e653858b2debb

SHA512
3ac669fb1b046e87b9fb10cb768b0e416db71ccdb8af4ba0bd885ed1d2dfd20fbecb3c9988d2cdcddd6f648c3495b838e982d94b33d48ad1ee4deef8e34e9759

Download Submit
C:\Windows\System\dc.exe

Filesize
396KB

MD5
2a9e0d06af8c237ea2a2351769d07fd4

SHA1
874075b125d5c93e8b60d8e44552c1732ae8596a

SHA256
c97576e83cf92c96a78be3cb99167761b7df33e488c45aa826c1321dbb39759c

SHA512
9b9a3b8d605218bd0f05916b5567644559c9a960c98fa8a8a618fb067a34b0cf971b50bdcbd2ebd7870a36a40baded94d70632effca5f11a0ccb300939a50d46

Download Submit
C:\Windows\system\dc.exe

Filesize
452KB

MD5
78225b04046708beb19acf672aca3937

SHA1
29880b20895f4eca6d87833d8438d8c7e9364808

SHA256
7904ae0067062cbe0f1de22150bda633b2b886cb9d575327e0ad9aaf52868ee9

SHA512
aa73f9560073a839d69d183daf954ee4460d0894f6ec52be003505a4989720acce364b3986f596e9452130800af349720c1ffda0e7be2a6baac0dbfbe7535bd5

Download Submit
C:\Windows\system\dc.exe

Filesize
763KB

MD5
0a50081a6cd37aea0945c91de91c5d97

SHA1
755309c6d9fa4cd13b6c867cde01cc1e0d415d00

SHA256
6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

SHA512
f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

Download Submit
C:\Windows\system\dc.exe

Filesize
533KB

MD5
1c28d234dd008f9be083be96c15c9dce

SHA1
e33e5f4854c28158fa54cbb815d4a67a8cefd662

SHA256
559bc908d07366a9db0572ca77c98404aaa5c7b60baea7aaf5af71f980464080

SHA512
46286722c7f411a140c40ccf8afed48981ff139acce164e105c1126b76d7ccb9dbde5debb4a2940ae1d40439783a28b810eb8f0ad97333a0317e4d0f0eff7f57

Download Submit
C:\Windows\system\svchost.exe

Filesize
1.1MB

MD5
6c1dfafc437e8cb6b57dd0729cb39822

SHA1
92d61dc5bc58d94e3bc1d672e27bfe8133056b8a

SHA256
12782684d8480075ea8ece059fd7a364c46ab53bcf9094e44f5cfccd57d335cb

SHA512
d82a0a86d9dbe499ca3a7b62fbe447272746ae88202479b850701e01b2ea724acf6e8a35be6be04331bbdf37e2769c5d11a70cdf449a599273c533de3eee7638

Download Submit
memory/804-81-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/804-82-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/804-86-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/804-71-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/804-88-0x0000000002DFB000-0x0000000002E62000-memory.dmp

Filesize
412KB

Download
memory/804-72-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/804-70-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/804-73-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/804-76-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-83-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-89-0x0000000002160000-0x00000000021E0000-memory.dmp

Filesize
512KB

Download
memory/1804-90-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-85-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-84-0x0000000002160000-0x00000000021E0000-memory.dmp

Filesize
512KB

Download
memory/1804-87-0x0000000002160000-0x00000000021E0000-memory.dmp

Filesize
512KB

Download
memory/2028-63-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/2028-107-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/2316-0-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/2316-2-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/2316-52-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/2316-64-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/2316-1-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/2596-21-0x0000000002CCB000-0x0000000002D32000-memory.dmp

Filesize
412KB

Download
memory/2596-23-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2596-22-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2596-20-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-19-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-18-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2612-26-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-9-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-16-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-11-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2612-8-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2612-7-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2612-17-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2612-25-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2612-24-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download