af6a3a206daa66c291daac3dc17f29dd7d0e1504a92b6346b5c5fa252dcc3ef5

Resubmissions

30/05/2024, 20:32

240530-zblgdahd7x 10

Analysis

max time kernel
5s
max time network
0s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tthyperRuntimedhcpSvc.exe
Size

1.5MB
MD5

7a4073a468cf2d6ae2836893f467c81d
SHA1

ff54a200d4f6a1a696182f2cfde6e735b2580f37
SHA256

af6a3a206daa66c291daac3dc17f29dd7d0e1504a92b6346b5c5fa252dcc3ef5
SHA512

8df794241d4162850b5243b0844b3818a6ff010f2dda65bdae3a88a69e6f368c700c81997d781568652cb3b42ec98bd5d25ba86fec7d3b7a5856d459dba3bdd5
SSDEEP

24576:6Rcf6gYLRV8nJ4BMFvJw184tEAXQKQq6i0c:6cyloWgvJw1Zsi

Score

10^/10

execution

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2752	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2752	schtasks.exe	28

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2132	powershell.exe
2380	powershell.exe
884	powershell.exe
1456	powershell.exe
1704	powershell.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe	tthyperRuntimedhcpSvc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe	tthyperRuntimedhcpSvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\6ccacd8608530f	tthyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	tthyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088	tthyperRuntimedhcpSvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\en-US\smss.exe	tthyperRuntimedhcpSvc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2956	schtasks.exe
2808	schtasks.exe
1976	schtasks.exe
2452	schtasks.exe
2276	schtasks.exe
2560	schtasks.exe
1884	schtasks.exe
2972	schtasks.exe
2548	schtasks.exe
2576	schtasks.exe
1840	schtasks.exe
2024	schtasks.exe
1820	schtasks.exe
2536	schtasks.exe
2832	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2460	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe
1200	tthyperRuntimedhcpSvc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	tthyperRuntimedhcpSvc.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2380	1200	tthyperRuntimedhcpSvc.exe	44
PID 1200 wrote to memory of 2380	1200	tthyperRuntimedhcpSvc.exe	44
PID 1200 wrote to memory of 2380	1200	tthyperRuntimedhcpSvc.exe	44
PID 1200 wrote to memory of 2132	1200	tthyperRuntimedhcpSvc.exe	45
PID 1200 wrote to memory of 2132	1200	tthyperRuntimedhcpSvc.exe	45
PID 1200 wrote to memory of 2132	1200	tthyperRuntimedhcpSvc.exe	45
PID 1200 wrote to memory of 1704	1200	tthyperRuntimedhcpSvc.exe	46
PID 1200 wrote to memory of 1704	1200	tthyperRuntimedhcpSvc.exe	46
PID 1200 wrote to memory of 1704	1200	tthyperRuntimedhcpSvc.exe	46
PID 1200 wrote to memory of 1456	1200	tthyperRuntimedhcpSvc.exe	48
PID 1200 wrote to memory of 1456	1200	tthyperRuntimedhcpSvc.exe	48
PID 1200 wrote to memory of 1456	1200	tthyperRuntimedhcpSvc.exe	48
PID 1200 wrote to memory of 884	1200	tthyperRuntimedhcpSvc.exe	50
PID 1200 wrote to memory of 884	1200	tthyperRuntimedhcpSvc.exe	50
PID 1200 wrote to memory of 884	1200	tthyperRuntimedhcpSvc.exe	50
PID 1200 wrote to memory of 2840	1200	tthyperRuntimedhcpSvc.exe	54
PID 1200 wrote to memory of 2840	1200	tthyperRuntimedhcpSvc.exe	54
PID 1200 wrote to memory of 2840	1200	tthyperRuntimedhcpSvc.exe	54
PID 2840 wrote to memory of 1592	2840	cmd.exe	56
PID 2840 wrote to memory of 1592	2840	cmd.exe	56
PID 2840 wrote to memory of 1592	2840	cmd.exe	56
PID 2840 wrote to memory of 2460	2840	cmd.exe	57
PID 2840 wrote to memory of 2460	2840	cmd.exe	57
PID 2840 wrote to memory of 2460	2840	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tthyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Local\Temp\tthyperRuntimedhcpSvc.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqjRc2LOKN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1592
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe

Filesize
1.5MB

MD5
7a4073a468cf2d6ae2836893f467c81d

SHA1
ff54a200d4f6a1a696182f2cfde6e735b2580f37

SHA256
af6a3a206daa66c291daac3dc17f29dd7d0e1504a92b6346b5c5fa252dcc3ef5

SHA512
8df794241d4162850b5243b0844b3818a6ff010f2dda65bdae3a88a69e6f368c700c81997d781568652cb3b42ec98bd5d25ba86fec7d3b7a5856d459dba3bdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqjRc2LOKN.bat

Filesize
211B

MD5
2c98688d136cf4636c8c8da879ff406b

SHA1
7a0e48f87489431d8fbcfbb38fe82f7279339106

SHA256
c747d5ed0b34ca21b17d4ad5bfc4b3dd613f5e0cd4e10978511362bf4954a35c

SHA512
8947cff1ca9d4322b378c7da14ff083398ffdbb3ab63aa94dd926e5d745d774865d5a39002a6469218f9d491c64989bab6474fc22846bd6fe68642dd28811157

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b699fdb78770ed4a7cad3a3ade581557

SHA1
d03ea28c4952b1d92cf7c418e679687d633b1765

SHA256
e09805c5b49219a9ca60fee11b9be6073cc9ba7cabcf10096eb678f395a6fe9c

SHA512
7cd1833ae6cb60b4189432b55e428ec1a3850431ee0766ecbbce1125512bca3a66e8612ba1a19e37ca9933a7c45dbb8107fe4619d91bd6da864b5d54c636ce40

Download Submit
memory/1200-10-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-9-0x0000000000A10000-0x0000000000A28000-memory.dmp

Filesize
96KB

Download
memory/1200-7-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/1200-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/1200-15-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-14-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/1200-12-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/1200-20-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-25-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-19-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/1200-17-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/1200-5-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/1200-24-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-23-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-22-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/1200-3-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-2-0x0000000000970000-0x0000000000976000-memory.dmp

Filesize
24KB

Download
memory/1200-1-0x0000000001170000-0x00000000012F4000-memory.dmp

Filesize
1.5MB

Download
memory/1200-56-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-57-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2380-50-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download