b28fda7196b8a932afbebdde61f29b1c9c6179f7feab445366adb775eef5cf6c

Analysis

max time kernel
152s
max time network
166s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
20/02/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhxiScriptEngine.exe
Size

154.6MB
MD5

6da445a956cea76679587b9e46a70f62
SHA1

e660a84e82f0635100ab3bd34b4a9c8da438d825
SHA256

ea7744acc6fbe786d343bf6ad9adc9d88d0890de1ba5787dd2b6156b8a7d8a4a
SHA512

9115fc2e867cbda50ffc02e14da69939d74e61e75369f8c78d48826c5586fa7616c25b7a51593e17ce2ea220de428aadadeb549a7ac548b1c0a58d24176d0537
SSDEEP

1572864:/CquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:vDAgZi

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3721099760-3917598953-789468489-1000\Control Panel\International\Geo\Nation	PhxiScriptEngine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3721099760-3917598953-789468489-1000\Control Panel\International\Geo\Nation	PhxiScriptEngine.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	PhxiScriptEngine.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipapi.co
4	ipapi.co

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
3772	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2004	tasklist.exe
4868	tasklist.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2336	powershell.exe
2336	powershell.exe
2336	powershell.exe
2588	PhxiScriptEngine.exe
2588	PhxiScriptEngine.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	4868	tasklist.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe
Token: SeCreatePagefilePrivilege	2220	PhxiScriptEngine.exe
Token: SeShutdownPrivilege	2220	PhxiScriptEngine.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1656	2220	PhxiScriptEngine.exe	74
PID 2220 wrote to memory of 1656	2220	PhxiScriptEngine.exe	74
PID 1656 wrote to memory of 2004	1656	cmd.exe	76
PID 1656 wrote to memory of 2004	1656	cmd.exe	76
PID 2220 wrote to memory of 1660	2220	PhxiScriptEngine.exe	78
PID 2220 wrote to memory of 1660	2220	PhxiScriptEngine.exe	78
PID 2220 wrote to memory of 3772	2220	PhxiScriptEngine.exe	80
PID 2220 wrote to memory of 3772	2220	PhxiScriptEngine.exe	80
PID 1660 wrote to memory of 4868	1660	cmd.exe	82
PID 1660 wrote to memory of 4868	1660	cmd.exe	82
PID 3772 wrote to memory of 2336	3772	cmd.exe	83
PID 3772 wrote to memory of 2336	3772	cmd.exe	83
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 768	2220	PhxiScriptEngine.exe	84
PID 2220 wrote to memory of 3856	2220	PhxiScriptEngine.exe	85
PID 2220 wrote to memory of 3856	2220	PhxiScriptEngine.exe	85
PID 2220 wrote to memory of 4836	2220	PhxiScriptEngine.exe	86
PID 2220 wrote to memory of 4836	2220	PhxiScriptEngine.exe	86
PID 2220 wrote to memory of 2588	2220	PhxiScriptEngine.exe	87
PID 2220 wrote to memory of 2588	2220	PhxiScriptEngine.exe	87

C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe
"C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,162,129,71,63,146,136,37,70,133,96,231,68,203,217,16,229,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,161,230,49,0,123,165,226,153,158,55,0,154,98,158,127,52,74,142,60,186,206,246,88,157,22,251,229,213,110,132,144,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,242,187,26,139,36,191,82,75,151,157,207,151,205,237,18,141,222,186,29,74,57,165,114,75,165,190,168,114,171,216,46,158,48,0,0,0,205,151,211,228,203,16,181,121,159,89,222,207,13,232,245,70,39,74,101,148,254,138,248,171,42,5,69,0,42,198,0,195,64,114,207,191,39,217,101,2,95,147,219,94,167,112,78,3,64,0,0,0,204,156,245,211,39,228,3,23,26,57,9,29,45,23,124,20,8,155,179,193,78,34,245,196,103,134,174,67,218,22,202,7,241,129,182,183,132,211,218,228,195,155,213,153,68,41,242,21,178,167,19,197,162,47,52,75,165,92,216,224,72,126,118,224), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,162,129,71,63,146,136,37,70,133,96,231,68,203,217,16,229,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,161,230,49,0,123,165,226,153,158,55,0,154,98,158,127,52,74,142,60,186,206,246,88,157,22,251,229,213,110,132,144,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,242,187,26,139,36,191,82,75,151,157,207,151,205,237,18,141,222,186,29,74,57,165,114,75,165,190,168,114,171,216,46,158,48,0,0,0,205,151,211,228,203,16,181,121,159,89,222,207,13,232,245,70,39,74,101,148,254,138,248,171,42,5,69,0,42,198,0,195,64,114,207,191,39,217,101,2,95,147,219,94,167,112,78,3,64,0,0,0,204,156,245,211,39,228,3,23,26,57,9,29,45,23,124,20,8,155,179,193,78,34,245,196,103,134,174,67,218,22,202,7,241,129,182,183,132,211,218,228,195,155,213,153,68,41,242,21,178,167,19,197,162,47,52,75,165,92,216,224,72,126,118,224), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe
  "C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\PhxiScriptEngine" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1820,i,7199888985783456052,7060680335868780777,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:768
- C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe
  "C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\PhxiScriptEngine" --mojo-platform-channel-handle=2012 --field-trial-handle=1820,i,7199888985783456052,7060680335868780777,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe
  "C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\PhxiScriptEngine" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2464 --field-trial-handle=1820,i,7199888985783456052,7060680335868780777,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe
  "C:\Users\Admin\AppData\Local\Temp\PhxiScriptEngine.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\PhxiScriptEngine" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1820,i,7199888985783456052,7060680335868780777,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqqqzjpq.xw3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Roaming\PhxiScriptEngine\Network\Network Persistent State

Filesize
502B

MD5
99d7a93fe8358a04840dc9633cec2745

SHA1
d02261270c13a28249b7da78cdd2a82c8fa4dedf

SHA256
74930fab29b1f392e4c4804ee74420ba10662eb1c79d6094e4f10a10b5958723

SHA512
240c3a6a242d5f0f00ea49b949867dfa71e805112a2283c6dd9f9086533f533919437981a5480c7c1b96353c1548fbed56adcb60cd0080e1a31c886baf724ec5

Download Submit
C:\Users\Admin\AppData\Roaming\PhxiScriptEngine\Network\Network Persistent State~RFe58f066.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
\Users\Admin\AppData\Local\Temp\f37020f0-3e74-447f-8510-9902d37e0262.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
memory/2336-16-0x0000020316D20000-0x0000020316D30000-memory.dmp

Filesize
64KB

Download
memory/2336-20-0x000002032F5B0000-0x000002032F626000-memory.dmp

Filesize
472KB

Download
memory/2336-47-0x000002032F3F0000-0x000002032F440000-memory.dmp

Filesize
320KB

Download
memory/2336-48-0x0000020316D20000-0x0000020316D30000-memory.dmp

Filesize
64KB

Download
memory/2336-53-0x00007FFF1B380000-0x00007FFF1BD6C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-17-0x0000020316D20000-0x0000020316D30000-memory.dmp

Filesize
64KB

Download
memory/2336-15-0x00007FFF1B380000-0x00007FFF1BD6C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-14-0x000002032F480000-0x000002032F4A2000-memory.dmp

Filesize
136KB

Download