595e2825095b12ddfba4ee6f98f4f6cb1ff1fbc37a3b3191b2fc203d486ba163

Analysis

max time kernel
1800s
max time network
1568s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

satan.exe
Size

184KB
MD5

c9c341eaf04c89933ed28cbc2739d325
SHA1

c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA256

1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA512

7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b
SSDEEP

3072:H8SIBtQnE7OhssdWJ5jy392aCmCbBq0ryEbh/Wl7hqU6Q4NJ15xgDbvSY5thfRb3:c7qvhssdu5jyYaCmCQVE6hqUI5sb9Rb3

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2900 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

mowy.exemowy.exe

pid process

1876 mowy.exe
2612 mowy.exe
Loads dropped DLL 3 IoCs

Processes:

satan.exemowy.exe

pid process

2264 satan.exe
2264 satan.exe
1876 mowy.exe

pid	process
2900	cmd.exe

pid	process
1876	mowy.exe
2612	mowy.exe

pid	process
2264	satan.exe
2264	satan.exe
1876	mowy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\{694D36CF-F2D8-65F5-CC8A-D97C02965D68} = "C:\\Users\\Admin\\AppData\\Roaming\\Vymek\\mowy.exe"	Explorer.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

Explorer.EXEmowy.exeDwm.exe

pid	process
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
2612	mowy.exe
2612	mowy.exe
2612	mowy.exe
2612	mowy.exe
1760	Dwm.exe
1760	Dwm.exe
1760	Dwm.exe
1760	Dwm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

satan.exemowy.exe

description pid process target process

PID 2196 set thread context of 2264 2196 satan.exe satan.exe
PID 1876 set thread context of 2612 1876 mowy.exe mowy.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

788 vssadmin.exe

description	pid	process	target process
PID 2196 set thread context of 2264	2196	satan.exe	satan.exe
PID 1876 set thread context of 2612	1876	mowy.exe	mowy.exe

pid	process
788	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

satan.exemowy.exemowy.exeWerFault.exeWerFault.exe

pid	process
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
2196	satan.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
1876	mowy.exe
2612	mowy.exe
2612	mowy.exe
2612	mowy.exe
2612	mowy.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
1332	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1332 WerFault.exe

pid	process
1332	WerFault.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

DllHost.exevssvc.exeExplorer.EXEWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeManageVolumePrivilege	792	DllHost.exe
Token: SeBackupPrivilege	1924	vssvc.exe
Token: SeRestorePrivilege	1924	vssvc.exe
Token: SeAuditPrivilege	1924	vssvc.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeDebugPrivilege	2496	WerFault.exe
Token: SeDebugPrivilege	1332	WerFault.exe
Token: SeDebugPrivilege	2592	WerFault.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

satan.exesatan.exemowy.exemowy.exetaskhost.exeExplorer.EXEDwm.execonhost.exe

description	pid	process	target process
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2196 wrote to memory of 2264	2196	satan.exe	satan.exe
PID 2264 wrote to memory of 1876	2264	satan.exe	mowy.exe
PID 2264 wrote to memory of 1876	2264	satan.exe	mowy.exe
PID 2264 wrote to memory of 1876	2264	satan.exe	mowy.exe
PID 2264 wrote to memory of 1876	2264	satan.exe	mowy.exe
PID 2264 wrote to memory of 2900	2264	satan.exe	cmd.exe
PID 2264 wrote to memory of 2900	2264	satan.exe	cmd.exe
PID 2264 wrote to memory of 2900	2264	satan.exe	cmd.exe
PID 2264 wrote to memory of 2900	2264	satan.exe	cmd.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 1876 wrote to memory of 2612	1876	mowy.exe	mowy.exe
PID 2612 wrote to memory of 1224	2612	mowy.exe	taskhost.exe
PID 2612 wrote to memory of 1224	2612	mowy.exe	taskhost.exe
PID 2612 wrote to memory of 1224	2612	mowy.exe	taskhost.exe
PID 2612 wrote to memory of 1316	2612	mowy.exe	Dwm.exe
PID 2612 wrote to memory of 1316	2612	mowy.exe	Dwm.exe
PID 2612 wrote to memory of 1316	2612	mowy.exe	Dwm.exe
PID 1224 wrote to memory of 2592	1224	taskhost.exe	WerFault.exe
PID 1224 wrote to memory of 2592	1224	taskhost.exe	WerFault.exe
PID 1224 wrote to memory of 2592	1224	taskhost.exe	WerFault.exe
PID 2612 wrote to memory of 1364	2612	mowy.exe	Explorer.EXE
PID 2612 wrote to memory of 1364	2612	mowy.exe	Explorer.EXE
PID 2612 wrote to memory of 1364	2612	mowy.exe	Explorer.EXE
PID 2612 wrote to memory of 792	2612	mowy.exe	DllHost.exe
PID 2612 wrote to memory of 792	2612	mowy.exe	DllHost.exe
PID 2612 wrote to memory of 792	2612	mowy.exe	DllHost.exe
PID 1364 wrote to memory of 788	1364	Explorer.EXE	vssadmin.exe
PID 1364 wrote to memory of 788	1364	Explorer.EXE	vssadmin.exe
PID 1364 wrote to memory of 788	1364	Explorer.EXE	vssadmin.exe
PID 2612 wrote to memory of 2592	2612	mowy.exe	WerFault.exe
PID 2612 wrote to memory of 2592	2612	mowy.exe	WerFault.exe
PID 1316 wrote to memory of 2496	1316	Dwm.exe	WerFault.exe
PID 1316 wrote to memory of 2496	1316	Dwm.exe	WerFault.exe
PID 1316 wrote to memory of 2496	1316	Dwm.exe	WerFault.exe
PID 2612 wrote to memory of 2592	2612	mowy.exe	WerFault.exe
PID 2612 wrote to memory of 2496	2612	mowy.exe	WerFault.exe
PID 2612 wrote to memory of 2496	2612	mowy.exe	WerFault.exe
PID 2612 wrote to memory of 2496	2612	mowy.exe	WerFault.exe
PID 2612 wrote to memory of 788	2612	mowy.exe	vssadmin.exe
PID 2612 wrote to memory of 788	2612	mowy.exe	vssadmin.exe
PID 2612 wrote to memory of 788	2612	mowy.exe	vssadmin.exe
PID 2612 wrote to memory of 2828	2612	mowy.exe	conhost.exe
PID 2612 wrote to memory of 2828	2612	mowy.exe	conhost.exe
PID 2612 wrote to memory of 2828	2612	mowy.exe	conhost.exe
PID 2828 wrote to memory of 2316	2828	conhost.exe	WerFault.exe
PID 2828 wrote to memory of 2316	2828	conhost.exe	WerFault.exe
PID 2828 wrote to memory of 2316	2828	conhost.exe	WerFault.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1224 -s 316
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2592 -s 252
3⤵
PID:1920

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1316 -s 336
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\satan.exe
"C:\Users\Admin\AppData\Local\Temp\satan.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\satan.exe
"C:\Users\Admin\AppData\Local\Temp\satan.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Roaming\Vymek\mowy.exe
"C:\Users\Admin\AppData\Roaming\Vymek\mowy.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Roaming\Vymek\mowy.exe
"C:\Users\Admin\AppData\Roaming\Vymek\mowy.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_f0d3f772.bat"
4⤵
- Deletes itself
PID:2900

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 792 -s 400
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1426595756203013392917022800-10651654961476259241-1918491087-18581415351109974114"
1⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2828 -s 208
2⤵
PID:2316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
c1665454c8ce914e54b09750a236789d

SHA1
67ec459afe57f9290b761c5f5ee7a5e39d689397

SHA256
1ab9edd17bc384af8dbf17f018663c44a16bca7e3a80ec4fbb3a466f2efe3586

SHA512
96534386850934b60247631c79c243db2effd267eb0b3bce3ee8f20b9b40c2c7d296425d1936acd39940a2e222f012abdbf1e9bf36a5b99c0a20227ad5411f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_f0d3f772.bat

Filesize
190B

MD5
aa59a6793ad3419c9ae214fe397e8822

SHA1
ad8c8cb924980590f4fd19c5b5615fadf23a0ef1

SHA256
08bcc4e74128893adc7d0a46985bae6d2e01f908830e9b8a6bacf58617dd3ba3

SHA512
d9a072cdad8eeb641de1fcf33ebc0897be50a7d7aea32d123569b52b07e4f9bd8a77f0de74941bb98ce087f1dd3f577bac2e43dc916047bbac98a1026fe9f620

Download Submit
\Users\Admin\AppData\Roaming\Vymek\mowy.exe

Filesize
67KB

MD5
35bd989846c466e805df6a2345d07791

SHA1
069c959f1cbf19024315e4243b4b32fc5a0c1d5c

SHA256
335f74b78fcc51edfee315694a5f0675e5e5337c18318f95168990038a96fd11

SHA512
4c493b0a505a377c376000ae09bfa60a35882d5b418bb1f8ed9a277047a8c8f9789f3ed9cc8e12a1a7a9eaf24a9d36f446736f7189ae7140657ccbba5a750b48

Download Submit
memory/788-102-0x0000000000090000-0x00000000000A7000-memory.dmp

Filesize
92KB

Download
memory/792-62-0x0000000000470000-0x0000000000487000-memory.dmp

Filesize
92KB

Download
memory/792-68-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/792-64-0x0000000000470000-0x0000000000487000-memory.dmp

Filesize
92KB

Download
memory/792-58-0x0000000000470000-0x0000000000487000-memory.dmp

Filesize
92KB

Download
memory/1224-35-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1224-37-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1224-39-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1224-41-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1316-43-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1316-47-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1316-45-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1332-125-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1332-153-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1332-116-0x0000000000030000-0x0000000000047000-memory.dmp

Filesize
92KB

Download
memory/1364-51-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/1364-53-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/1364-50-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/1364-59-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/1364-61-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/1364-57-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/1364-56-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/1364-49-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/1760-143-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/1760-156-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/1876-13-0x00000000004E0000-0x000000000057F000-memory.dmp

Filesize
636KB

Download
memory/1876-15-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/1876-12-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/1876-18-0x0000000000A90000-0x0000000000B99000-memory.dmp

Filesize
1.0MB

Download
memory/1876-20-0x0000000002130000-0x0000000002147000-memory.dmp

Filesize
92KB

Download
memory/1876-17-0x0000000000660000-0x000000000078D000-memory.dmp

Filesize
1.2MB

Download
memory/2264-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2264-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2264-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2264-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2496-89-0x0000000000060000-0x0000000000077000-memory.dmp

Filesize
92KB

Download
memory/2496-123-0x0000000000060000-0x0000000000077000-memory.dmp

Filesize
92KB

Download
memory/2592-67-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2592-126-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/2592-76-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2592-72-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2612-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2612-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2612-33-0x0000000001EC0000-0x0000000001ED7000-memory.dmp

Filesize
92KB

Download
memory/2612-34-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2612-32-0x0000000002180000-0x0000000002289000-memory.dmp

Filesize
1.0MB

Download
memory/2612-26-0x00000000004F0000-0x000000000058F000-memory.dmp

Filesize
636KB

Download
memory/2612-27-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/2612-133-0x0000000003CB0000-0x0000000003CC7000-memory.dmp

Filesize
92KB

Download
memory/2612-28-0x0000000000670000-0x000000000079D000-memory.dmp

Filesize
1.2MB

Download
memory/2612-30-0x00000000007A0000-0x0000000000811000-memory.dmp

Filesize
452KB

Download
memory/2612-154-0x0000000003CB0000-0x0000000003CC7000-memory.dmp

Filesize
92KB

Download
memory/2612-25-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download