mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe
Size

991KB
MD5

be582c12844f5f5dddd1d613957799da
SHA1

74dade2c7e5ac082f6942497e78608a33610af0a
SHA256

1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798
SHA512

233eba01255605cf18bf64cfea8b100758f615b6506f80de2aff7c4047ec2e5fd3487eae04cfbe00f796d8cf2c8b7c8c98b2187a54b2bf756c6103bd8eedffd0
SSDEEP

24576:pyuRmIEimkREuj6PmXXXmemqY++LKGoq+h:cu9h0uj6WHmegYGoq+

Score

10^/10

mystic redline smokeloader frant backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/780-56-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/780-59-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/780-57-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1UQ09td3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1UQ09td3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1UQ09td3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1UQ09td3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1UQ09td3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1UQ09td3.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1108-67-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
840	bl1zI65.exe
4572	ER4pw82.exe
4720	1UQ09td3.exe
1980	2Eg6560.exe
4704	3GE77HF.exe
1832	4ci317VO.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1UQ09td3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1UQ09td3.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bl1zI65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ER4pw82.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 780	1980	2Eg6560.exe	97
PID 4704 set thread context of 3172	4704	3GE77HF.exe	106
PID 1832 set thread context of 1108	1832	4ci317VO.exe	111

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1376	1980	WerFault.exe	95
3756	4704	WerFault.exe	101
3828	1832	WerFault.exe	109

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4720	1UQ09td3.exe
4720	1UQ09td3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	1UQ09td3.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 840	4604	1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe	83
PID 4604 wrote to memory of 840	4604	1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe	83
PID 4604 wrote to memory of 840	4604	1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe	83
PID 840 wrote to memory of 4572	840	bl1zI65.exe	84
PID 840 wrote to memory of 4572	840	bl1zI65.exe	84
PID 840 wrote to memory of 4572	840	bl1zI65.exe	84
PID 4572 wrote to memory of 4720	4572	ER4pw82.exe	85
PID 4572 wrote to memory of 4720	4572	ER4pw82.exe	85
PID 4572 wrote to memory of 4720	4572	ER4pw82.exe	85
PID 4572 wrote to memory of 1980	4572	ER4pw82.exe	95
PID 4572 wrote to memory of 1980	4572	ER4pw82.exe	95
PID 4572 wrote to memory of 1980	4572	ER4pw82.exe	95
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 1980 wrote to memory of 780	1980	2Eg6560.exe	97
PID 840 wrote to memory of 4704	840	bl1zI65.exe	101
PID 840 wrote to memory of 4704	840	bl1zI65.exe	101
PID 840 wrote to memory of 4704	840	bl1zI65.exe	101
PID 4704 wrote to memory of 3344	4704	3GE77HF.exe	103
PID 4704 wrote to memory of 3344	4704	3GE77HF.exe	103
PID 4704 wrote to memory of 3344	4704	3GE77HF.exe	103
PID 4704 wrote to memory of 3020	4704	3GE77HF.exe	104
PID 4704 wrote to memory of 3020	4704	3GE77HF.exe	104
PID 4704 wrote to memory of 3020	4704	3GE77HF.exe	104
PID 4704 wrote to memory of 1064	4704	3GE77HF.exe	105
PID 4704 wrote to memory of 1064	4704	3GE77HF.exe	105
PID 4704 wrote to memory of 1064	4704	3GE77HF.exe	105
PID 4704 wrote to memory of 3172	4704	3GE77HF.exe	106
PID 4704 wrote to memory of 3172	4704	3GE77HF.exe	106
PID 4704 wrote to memory of 3172	4704	3GE77HF.exe	106
PID 4704 wrote to memory of 3172	4704	3GE77HF.exe	106
PID 4704 wrote to memory of 3172	4704	3GE77HF.exe	106
PID 4704 wrote to memory of 3172	4704	3GE77HF.exe	106
PID 4604 wrote to memory of 1832	4604	1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe	109
PID 4604 wrote to memory of 1832	4604	1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe	109
PID 4604 wrote to memory of 1832	4604	1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe	109
PID 1832 wrote to memory of 1108	1832	4ci317VO.exe	111
PID 1832 wrote to memory of 1108	1832	4ci317VO.exe	111
PID 1832 wrote to memory of 1108	1832	4ci317VO.exe	111
PID 1832 wrote to memory of 1108	1832	4ci317VO.exe	111
PID 1832 wrote to memory of 1108	1832	4ci317VO.exe	111
PID 1832 wrote to memory of 1108	1832	4ci317VO.exe	111
PID 1832 wrote to memory of 1108	1832	4ci317VO.exe	111
PID 1832 wrote to memory of 1108	1832	4ci317VO.exe	111

C:\Users\Admin\AppData\Local\Temp\1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe
"C:\Users\Admin\AppData\Local\Temp\1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bl1zI65.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bl1zI65.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER4pw82.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER4pw82.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UQ09td3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UQ09td3.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Eg6560.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Eg6560.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 596
        5⤵
        Program crash
        
        PID:1376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE77HF.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE77HF.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3020
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Checks SCSI registry key(s)
      PID:3172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 608
      4⤵
      Program crash
      PID:3756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ci317VO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ci317VO.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 156
    3⤵
    - Program crash
    PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1980 -ip 1980
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4704 -ip 4704
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1832 -ip 1832
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ci317VO.exe

Filesize
459KB

MD5
a38ce3e2dc246d8e40f95186737c588f

SHA1
87eb3f865fdd506f345d1d586f4d8c4d490f669a

SHA256
c42efcd5f53c75f36a6ed5c8f8be82359b848285ffb0fc5acc12fbd625c7028e

SHA512
9b6dec7f0eaae988f522ec927e0082dd03ead7605387c52d6184ee899154c85e9f180622b7ca32377a9e9a0b1972e24131e0a47e2b27797c55736b25261d27c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bl1zI65.exe

Filesize
696KB

MD5
ab140b00cb345dac8addfdaf0aded068

SHA1
09443e7f0a53cafd52c746ef013aec0a521dba17

SHA256
31a6d9124dada285c1a6fe29448d49b90b21805cce361c3cdb5af9dc4aea31ac

SHA512
8f44c1665257a4a5e8435e7f8ca60f6fd27b11fe87955cb13d4b08e8c1fa275b46e9c1273427247eab2c8c09cae7dcc5b5ed530bccd161d80f5364702f584e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE77HF.exe

Filesize
268KB

MD5
f09b788bfb242f8edcb4b4ab2bd0275a

SHA1
71b2273479460cbda9d08073d0b116935d2c6813

SHA256
f291d8694f3198b824474d57a18792218a5d622f2f59370efe6679563db87521

SHA512
709bdc1a303159b27f7e7fa793d1c78f3d6223b5a3ba2c03cbea36eafc1bd0e2edc1bd19e61f7ed5ca53a1ab5018d7c171fc9c3c4ff67b02b4087a07cfd5dda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER4pw82.exe

Filesize
452KB

MD5
ed0c168c6d5429ab8a2a1c7fd31e91c6

SHA1
50195d907d10a6c56d479a2ddd9e9e3e27bd340d

SHA256
064bacb6978ed2c988382e83c9c8f4b894da16f92be7aa448733bb51d90eadfb

SHA512
3db371a6047f2154218ca6fe0aa4378bb9c9519d7219ca9b493ba2f4856312025f63b03908e66ebde073c2447dc5240a05a83b092b3f9171c928a7c5d1356cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UQ09td3.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Eg6560.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
memory/780-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/780-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/780-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1108-73-0x0000000007700000-0x000000000773C000-memory.dmp

Filesize
240KB

Download
memory/1108-68-0x0000000007340000-0x00000000073D2000-memory.dmp

Filesize
584KB

Download
memory/1108-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1108-69-0x00000000026C0000-0x00000000026CA000-memory.dmp

Filesize
40KB

Download
memory/1108-70-0x0000000008420000-0x0000000008A38000-memory.dmp

Filesize
6.1MB

Download
memory/1108-71-0x0000000007E00000-0x0000000007F0A000-memory.dmp

Filesize
1.0MB

Download
memory/1108-72-0x0000000007580000-0x0000000007592000-memory.dmp

Filesize
72KB

Download
memory/1108-74-0x0000000007740000-0x000000000778C000-memory.dmp

Filesize
304KB

Download
memory/3172-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4720-49-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-51-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-24-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-23-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/4720-22-0x0000000004C40000-0x00000000051E4000-memory.dmp

Filesize
5.6MB

Download
memory/4720-21-0x00000000022D0000-0x00000000022EE000-memory.dmp

Filesize
120KB

Download