mystic | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe
Size

742KB
MD5

f9a8fb0e8bc08416a56f6abadce7c209
SHA1

237564839550770c1347c3cf62997b953bc438b1
SHA256

9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4
SHA512

d11b6686e901c38c886a140d598cb2037b9c9eb8db8960dba0b17e77255bdcdbae141ba2b9f8c04abea07bc30bae3a776caa82d4e970c7587af5eaced6ea9d75
SSDEEP

12288:GMrwy90oeqm9YLhnjzaA/ZFqIk1WnL1ZGfgXPan44vrYuJvNUuC:OyLex6LhjzaOp5nL1ZQgA9TVvOP

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral13/memory/2780-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2780-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2780-26-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral13/memory/2736-36-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 6 IoCs

Processes:

Ch4SS04.exeYR3Ih10.exe1aH22dc8.exe2Gq9069.exe3gD29pv.exe4yy799Rl.exe

pid process

3856 Ch4SS04.exe
4620 YR3Ih10.exe
5028 1aH22dc8.exe
4808 2Gq9069.exe
4268 3gD29pv.exe
3624 4yy799Rl.exe

pid	process
3856	Ch4SS04.exe
4620	YR3Ih10.exe
5028	1aH22dc8.exe
4808	2Gq9069.exe
4268	3gD29pv.exe
3624	4yy799Rl.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ch4SS04.exeYR3Ih10.exe9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ch4SS04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	YR3Ih10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1aH22dc8.exe2Gq9069.exe3gD29pv.exe4yy799Rl.exe

description	pid	process	target process
PID 5028 set thread context of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 4808 set thread context of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4268 set thread context of 1832	4268	3gD29pv.exe	AppLaunch.exe
PID 3624 set thread context of 2736	3624	4yy799Rl.exe	AppLaunch.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3384	5028	WerFault.exe	1aH22dc8.exe
4592	4808	WerFault.exe	2Gq9069.exe
2356	4268	WerFault.exe	3gD29pv.exe
4052	3624	WerFault.exe	4yy799Rl.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1364 AppLaunch.exe
1364 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1364 AppLaunch.exe

pid	process
1364	AppLaunch.exe
1364	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1364	AppLaunch.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exeCh4SS04.exeYR3Ih10.exe1aH22dc8.exe2Gq9069.exe3gD29pv.exe4yy799Rl.exe

description	pid	process	target process
PID 2208 wrote to memory of 3856	2208	9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe	Ch4SS04.exe
PID 2208 wrote to memory of 3856	2208	9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe	Ch4SS04.exe
PID 2208 wrote to memory of 3856	2208	9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe	Ch4SS04.exe
PID 3856 wrote to memory of 4620	3856	Ch4SS04.exe	YR3Ih10.exe
PID 3856 wrote to memory of 4620	3856	Ch4SS04.exe	YR3Ih10.exe
PID 3856 wrote to memory of 4620	3856	Ch4SS04.exe	YR3Ih10.exe
PID 4620 wrote to memory of 5028	4620	YR3Ih10.exe	1aH22dc8.exe
PID 4620 wrote to memory of 5028	4620	YR3Ih10.exe	1aH22dc8.exe
PID 4620 wrote to memory of 5028	4620	YR3Ih10.exe	1aH22dc8.exe
PID 5028 wrote to memory of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 5028 wrote to memory of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 5028 wrote to memory of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 5028 wrote to memory of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 5028 wrote to memory of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 5028 wrote to memory of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 5028 wrote to memory of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 5028 wrote to memory of 1364	5028	1aH22dc8.exe	AppLaunch.exe
PID 4620 wrote to memory of 4808	4620	YR3Ih10.exe	2Gq9069.exe
PID 4620 wrote to memory of 4808	4620	YR3Ih10.exe	2Gq9069.exe
PID 4620 wrote to memory of 4808	4620	YR3Ih10.exe	2Gq9069.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 4808 wrote to memory of 2780	4808	2Gq9069.exe	AppLaunch.exe
PID 3856 wrote to memory of 4268	3856	Ch4SS04.exe	3gD29pv.exe
PID 3856 wrote to memory of 4268	3856	Ch4SS04.exe	3gD29pv.exe
PID 3856 wrote to memory of 4268	3856	Ch4SS04.exe	3gD29pv.exe
PID 4268 wrote to memory of 1832	4268	3gD29pv.exe	AppLaunch.exe
PID 4268 wrote to memory of 1832	4268	3gD29pv.exe	AppLaunch.exe
PID 4268 wrote to memory of 1832	4268	3gD29pv.exe	AppLaunch.exe
PID 4268 wrote to memory of 1832	4268	3gD29pv.exe	AppLaunch.exe
PID 4268 wrote to memory of 1832	4268	3gD29pv.exe	AppLaunch.exe
PID 4268 wrote to memory of 1832	4268	3gD29pv.exe	AppLaunch.exe
PID 2208 wrote to memory of 3624	2208	9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe	4yy799Rl.exe
PID 2208 wrote to memory of 3624	2208	9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe	4yy799Rl.exe
PID 2208 wrote to memory of 3624	2208	9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe	4yy799Rl.exe
PID 3624 wrote to memory of 2736	3624	4yy799Rl.exe	AppLaunch.exe
PID 3624 wrote to memory of 2736	3624	4yy799Rl.exe	AppLaunch.exe
PID 3624 wrote to memory of 2736	3624	4yy799Rl.exe	AppLaunch.exe
PID 3624 wrote to memory of 2736	3624	4yy799Rl.exe	AppLaunch.exe
PID 3624 wrote to memory of 2736	3624	4yy799Rl.exe	AppLaunch.exe
PID 3624 wrote to memory of 2736	3624	4yy799Rl.exe	AppLaunch.exe
PID 3624 wrote to memory of 2736	3624	4yy799Rl.exe	AppLaunch.exe
PID 3624 wrote to memory of 2736	3624	4yy799Rl.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe
"C:\Users\Admin\AppData\Local\Temp\9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ch4SS04.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ch4SS04.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YR3Ih10.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YR3Ih10.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aH22dc8.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aH22dc8.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 580
5⤵
- Program crash
PID:3384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gq9069.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gq9069.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 584
5⤵
- Program crash
PID:4592

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3gD29pv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3gD29pv.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Checks SCSI registry key(s)
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 156
4⤵
- Program crash
PID:2356

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yy799Rl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yy799Rl.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 148
3⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5028 -ip 5028
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4808 -ip 4808
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4268 -ip 4268
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3624 -ip 3624
1⤵
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yy799Rl.exe
Filesize
336KB

MD5
a78a95bcd506cfea76978c1cd60f083c

SHA1
e9c7f2bf4d4d6a0b3ad3a317de21e3fc07a88ec8

SHA256
918382d098156337cb8a4e29ccd26d34bff173c79a42db500874fed67ce5f002

SHA512
9abb7e669fc17f84540a54560be50c28c52a6c80203072828352bf93c1a331f7ed8aa34e2475205684368a43cff0ae22a7cd5b230470666e3a8b7983254b60e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ch4SS04.exe
Filesize
508KB

MD5
b27658884d00d0c579eb4e4626ae87ab

SHA1
f8226231b17981df7bbc220d7fa0f03d0ac5ac1a

SHA256
a08835ffc09be153086af2f9f90c8cb0df15241e57e28f25a16e2ac3f16974ff

SHA512
ff1641592f655b192e4b7a6e51e10278a65e084432775b2e601a9884ec8313c2cf5c7046562634ab888ba834d302e8ada048db0f1f385c635096def36377ddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3gD29pv.exe
Filesize
145KB

MD5
a9415ff452c695bd26c09bce9dc47b22

SHA1
4d454798821f79630abe5f0e8ccf0b8142bed80d

SHA256
500857910497a811963df7fab4da4f687da985c29f9fc17f563805ba7dc0a8a8

SHA512
b60f8389b9e2cb76be65718aa87e2de4a7b66f207e25db775c306638c84b3b808dd84e4f04e058aa680c84d15d3793aeedc015e89524d2ebf73212cda66bdd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YR3Ih10.exe
Filesize
324KB

MD5
74a3000341ae69b3236bc32f710be265

SHA1
a55899ae63bd6dfde227637fc2d75e98ff570c4a

SHA256
e44b6a948128f7680351db06f1840d037af8e0250ec54ed7cff963a8d357e403

SHA512
d801582b29fde1740b688030de4cc43d031cad95f8e9330d1757e69e11ec41b5386b7e344fd8c4cdacbefa2cf1a19f58cb6601182c5bf232d9b4b3cf18c05d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aH22dc8.exe
Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gq9069.exe
Filesize
295KB

MD5
78076d1724db675d80d29a7a3ac4b8f4

SHA1
09599a4f261543155fd8e32274ec13b6e8883c89

SHA256
17c90d5e7da9af1ed1247078cfbc87904f54bfba87c94965d35e041fb755d036

SHA512
ffd90215bb74f51f79658dcb8648440b27b0c33a7c04bc718286f51db4e02cca0ab329a356373bd2edf27f445bcf9bc9d5d280ea5e2e1fbdaa50de02c5f650c3

Download Submit
memory/1364-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1832-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2736-40-0x0000000008540000-0x0000000008B58000-memory.dmp

Filesize
6.1MB

Download
memory/2736-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-37-0x0000000007970000-0x0000000007F14000-memory.dmp

Filesize
5.6MB

Download
memory/2736-38-0x00000000073C0000-0x0000000007452000-memory.dmp

Filesize
584KB

Download
memory/2736-39-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/2736-41-0x0000000007720000-0x000000000782A000-memory.dmp

Filesize
1.0MB

Download
memory/2736-42-0x0000000004EF0000-0x0000000004F02000-memory.dmp

Filesize
72KB

Download
memory/2736-43-0x00000000074A0000-0x00000000074DC000-memory.dmp

Filesize
240KB

Download
memory/2736-44-0x0000000007610000-0x000000000765C000-memory.dmp

Filesize
304KB

Download
memory/2780-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2780-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2780-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download