Overview

overview

10

Static

static

10

1D61E62339...89.exe

windows7-x64

10

1D61E62339...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1D61E62339D38CA2A129710265C26A89.exe

  • Size

    1.9MB

  • MD5

    1d61e62339d38ca2a129710265c26a89

  • SHA1

    185c34e0d555ac3fdf7fefd1732409e65b6aedaf

  • SHA256

    d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

  • SHA512

    0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

  • SSDEEP

    49152:RSRQ8nF3T6S2cvvSiHWxuvF3VPL5/zKAG:RS+AlTK/G9VPBe

Score
10/10
zgratexecutionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe
    "C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5yvbsuvv\5yvbsuvv.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1803.tmp" "c:\Windows\System32\CSC27F842056D0C43B09F55A97E63D8632.TMP"
        3⤵
          PID:2452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2136
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\dwm.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\spoolsv.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1460
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PmLoS6z5nf.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1680
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:1456
            • C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe
              "C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe"
              3⤵
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2692
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2412
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3036
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2168
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2344
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1188
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A891" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1456
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A89" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A891" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2548

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe
          Filesize

          1.9MB

          MD5

          1d61e62339d38ca2a129710265c26a89

          SHA1

          185c34e0d555ac3fdf7fefd1732409e65b6aedaf

          SHA256

          d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

          SHA512

          0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\PmLoS6z5nf.bat
          Filesize

          246B

          MD5

          f0e91c2b205c75e47a10e6ecfea84a9b

          SHA1

          28638296a7a781e93460254219a1ed126c035faa

          SHA256

          ac98f315693d85fb176e203cdfc20061363bd271cf6a62391ec104a9a10251c5

          SHA512

          d8e3bf169600f89b4f6e61eee3594356d42f50379ed03463e943417b20bf29991b1e0c1bf34c6c545a64084682a23e9ee429f6e0b1907d6b9f7d4767e74e6ce4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES1803.tmp
          Filesize

          1KB

          MD5

          bcdfd94f36f3bf5785370c0a7ab0d0cb

          SHA1

          44f05f4c1c42452fb1c9dd5394c2e75fa427d26f

          SHA256

          2d581c17be29905ddb333ecce4220140048f99da40491db170b0cb1e91dec4be

          SHA512

          fca59fc9fef75f85f4336b92bc0dc998e85df005ab77ab975e73d91e294586870fce918cc90233772d0fe4d12aa8d03f1a25fa31841ae3d7cb17917ff11e044e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          5fdc38f6d736e4494711df9561f1deb1

          SHA1

          0381e134607d47aed315413fa5ea2e8dd04a333c

          SHA256

          dc80e310a69ece2b29dc85931fe463eed5744428fe9d409fc80edbc52ab8d02e

          SHA512

          632b77b0970bf8352fd868ade88bf1a216f2a8980d2e2a7b130d6990cec82a38f763d8c81bee961040458c904ae0ab64bc7ba5fdd1cd3135683f24818a09557c

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\5yvbsuvv\5yvbsuvv.0.cs
          Filesize

          412B

          MD5

          0fa22ed2be9fcb636436387bbdb41f03

          SHA1

          23cb626d522cb4094e25e71ee8a9add18f99d34d

          SHA256

          1665b25ccb683ce4cb04a5d89c14a21bc630bcfe40d138bbcdd88bf01375e392

          SHA512

          88a8b7b252a369f45984bede62ce80eaf16a54bb0e2e6f0b2d21ecbbfa8c736ce043f3f4b8a51fc287d37b90367b10bf1c1e8501438973b854828cbdd8ef3768

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\5yvbsuvv\5yvbsuvv.cmdline
          Filesize

          235B

          MD5

          69bd0c723584540c558bc3182b0e582f

          SHA1

          6e0a7f08bff74b91b56fb2579887162846760888

          SHA256

          7ea2911fa7b4c7dcfd47421c44f147b8571454ffdb13801d97c1bc51a5031b27

          SHA512

          11efd0877639a5b79c4a2e27051e834a651ed27e57715b74939272b03484694b331ca224e393a6cce0880b2b46efd2d9f189315c90865b4763772571e122a9d3

          Download Submit

        • \??\c:\Windows\System32\CSC27F842056D0C43B09F55A97E63D8632.TMP
          Filesize

          1KB

          MD5

          3fcb2bd8a227751c0367dff5940613bb

          SHA1

          bcca174ab4499de5713d836fbc368966aa1f5b2c

          SHA256

          aca1f364ec354097cdecc50336698c1180b10ae84fc6051eab154482e0965e8c

          SHA512

          c7357bb6ee27df96ba39066e893ce8521cb1d5c550be24ced7f860e11cc36ecc04fbec14f61da920bca04e0ae150df8dbc53de0c4a6880afa6067bccfe767672

          Download Submit

        • memory/2300-60-0x0000000002350000-0x0000000002358000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2380-9-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-8-0x0000000000330000-0x000000000034C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2380-11-0x0000000000350000-0x0000000000368000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2380-16-0x0000000000320000-0x000000000032C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2380-17-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-18-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-24-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-31-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-14-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-13-0x0000000000310000-0x000000000031E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2380-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2380-6-0x0000000000300000-0x000000000030E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2380-4-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-3-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-1-0x0000000000B40000-0x0000000000D26000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2380-58-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-2-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2476-138-0x0000000000C90000-0x0000000000E76000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2960-59-0x000000001B790000-0x000000001BA72000-memory.dmp

          Filesize

          2.9MB

          Download