rms | e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.exe
Size

4.2MB
MD5

183f0ac56267fcfa87570e3533b17dcb
SHA1

0bcb4f0d472ed346ea41f652bc89f770b78d97a2
SHA256

e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b
SHA512

dda8c4a0c3869112085c7d9de249e0de2978e7e3a6bd11e798ece22fd3ea233f72f028b93ca08facd100966fed56092eecafd019ce66859f9e54857e2832111b
SSDEEP

98304:3jJ1gKpqp+z0DKOyZhjt4UpQohV6oby9pr1adb8l:91Rp02Oy7e9oSkSmA

Score

10^/10

rms aspackv2 rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\rutserv.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

admi.exeWScript.exe183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	admi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.exe

Executes dropped EXE 7 IoCs

Processes:

admi.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid process

1472 admi.exe
3388 rutserv.exe
3168 rutserv.exe
1468 rutserv.exe
2332 rutserv.exe
60 rutserv.exe
2900 rutserv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3732 timeout.exe
4472 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1092 taskkill.exe
4564 taskkill.exe
4536 taskkill.exe
4288 taskkill.exe
Modifies registry class 1 IoCs

Processes:

admi.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings admi.exe
Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

3948 regedit.exe
2328 regedit.exe

pid	process
1472	admi.exe
3388	rutserv.exe
3168	rutserv.exe
1468	rutserv.exe
2332	rutserv.exe
60	rutserv.exe
2900	rutserv.exe

pid	process
3732	timeout.exe
4472	timeout.exe

pid	process
1092	taskkill.exe
4564	taskkill.exe
4536	taskkill.exe
4288	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	admi.exe

pid	process
3948	regedit.exe
2328	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
3168	rutserv.exe
3168	rutserv.exe
3388	rutserv.exe
3388	rutserv.exe
1468	rutserv.exe
1468	rutserv.exe
2332	rutserv.exe
2332	rutserv.exe
60	rutserv.exe
60	rutserv.exe
2900	rutserv.exe
2900	rutserv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid process

3168 rutserv.exe
3388 rutserv.exe
1468 rutserv.exe
2332 rutserv.exe
60 rutserv.exe
2900 rutserv.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.execmd.exeadmi.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 1320 wrote to memory of 4628	1320	183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.exe	cmd.exe
PID 1320 wrote to memory of 4628	1320	183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.exe	cmd.exe
PID 1320 wrote to memory of 4628	1320	183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.exe	cmd.exe
PID 4628 wrote to memory of 1472	4628	cmd.exe	admi.exe
PID 4628 wrote to memory of 1472	4628	cmd.exe	admi.exe
PID 4628 wrote to memory of 1472	4628	cmd.exe	admi.exe
PID 1472 wrote to memory of 4460	1472	admi.exe	WScript.exe
PID 1472 wrote to memory of 4460	1472	admi.exe	WScript.exe
PID 1472 wrote to memory of 4460	1472	admi.exe	WScript.exe
PID 1472 wrote to memory of 4516	1472	admi.exe	cmd.exe
PID 1472 wrote to memory of 4516	1472	admi.exe	cmd.exe
PID 1472 wrote to memory of 4516	1472	admi.exe	cmd.exe
PID 4460 wrote to memory of 3672	4460	WScript.exe	cmd.exe
PID 4460 wrote to memory of 3672	4460	WScript.exe	cmd.exe
PID 4460 wrote to memory of 3672	4460	WScript.exe	cmd.exe
PID 4516 wrote to memory of 4536	4516	cmd.exe	taskkill.exe
PID 4516 wrote to memory of 4536	4516	cmd.exe	taskkill.exe
PID 4516 wrote to memory of 4536	4516	cmd.exe	taskkill.exe
PID 3672 wrote to memory of 4288	3672	cmd.exe	taskkill.exe
PID 3672 wrote to memory of 4288	3672	cmd.exe	taskkill.exe
PID 3672 wrote to memory of 4288	3672	cmd.exe	taskkill.exe
PID 3672 wrote to memory of 1092	3672	cmd.exe	taskkill.exe
PID 3672 wrote to memory of 1092	3672	cmd.exe	taskkill.exe
PID 3672 wrote to memory of 1092	3672	cmd.exe	taskkill.exe
PID 4516 wrote to memory of 4564	4516	cmd.exe	taskkill.exe
PID 4516 wrote to memory of 4564	4516	cmd.exe	taskkill.exe
PID 4516 wrote to memory of 4564	4516	cmd.exe	taskkill.exe
PID 3672 wrote to memory of 3908	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 3908	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 3908	3672	cmd.exe	reg.exe
PID 4516 wrote to memory of 2820	4516	cmd.exe	reg.exe
PID 4516 wrote to memory of 2820	4516	cmd.exe	reg.exe
PID 4516 wrote to memory of 2820	4516	cmd.exe	reg.exe
PID 3672 wrote to memory of 3948	3672	cmd.exe	regedit.exe
PID 3672 wrote to memory of 3948	3672	cmd.exe	regedit.exe
PID 3672 wrote to memory of 3948	3672	cmd.exe	regedit.exe
PID 4516 wrote to memory of 2328	4516	cmd.exe	regedit.exe
PID 4516 wrote to memory of 2328	4516	cmd.exe	regedit.exe
PID 4516 wrote to memory of 2328	4516	cmd.exe	regedit.exe
PID 3672 wrote to memory of 3732	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 3732	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 3732	3672	cmd.exe	timeout.exe
PID 4516 wrote to memory of 4472	4516	cmd.exe	timeout.exe
PID 4516 wrote to memory of 4472	4516	cmd.exe	timeout.exe
PID 4516 wrote to memory of 4472	4516	cmd.exe	timeout.exe
PID 3672 wrote to memory of 3168	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 3168	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 3168	3672	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 3388	4516	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 3388	4516	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 3388	4516	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 1468	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 1468	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 1468	3672	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 2332	4516	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 2332	4516	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 2332	4516	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 60	4516	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 60	4516	cmd.exe	rutserv.exe
PID 4516 wrote to memory of 60	4516	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 2900	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 2900	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 2900	3672	cmd.exe	rutserv.exe

C:\Users\Admin\AppData\Local\Temp\183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\183f0ac56267fcfa87570e3533b17dcb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\tests.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - \??\c:\admi.exe
    admi.exe -p12345 -dc:\
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\install.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\install.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        6⤵
        
        PID:3908
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:3948
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:3732
      - \??\c:\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3168
      - \??\c:\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1468
      - \??\c:\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:2328
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:4472
    - - \??\c:\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3388
    - - \??\c:\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2332
    - - \??\c:\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\admi.exe

Filesize
4.1MB

MD5
66c240a84a50ff544a5ca49d714c76d4

SHA1
99173116f3c04acadbd943a69a68a030d6513bf1

SHA256
f4da4eb7c0b7e6bbb98162a7fdf558aac39aaf9caf52531cbe2fe41bb46fec2d

SHA512
075a5afbe16ba014b339de380c9689514628c84bbcb8a89321a2a6b41eb9733d48db73b702f03d0cdf4f641c060f2ca7d8e39a059cd70ff382e6e85a58e17943

Download Submit
C:\install.bat

Filesize
289B

MD5
a60d06edbd2b022c5009b0606c1e7481

SHA1
300432e9ebf424dd8e97f405ea2d64c0388c8749

SHA256
b7bdf067aca5eb9fd2b83b2b17195022fb4c684680bcdb278d158e9f77db10a2

SHA512
ded38d51fc5dd90f38a76613646111eb6a44f7d7db01b3e17debff4c779d0f222d7b99820785af1b1d13fa2954557ded03e11a441277668d9dfe729fe824028d

Download Submit
C:\install.vbs

Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
C:\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\tests.bat

Filesize
22B

MD5
d4b0e840fe4def0621f001fde561e5b9

SHA1
ddb72ac6c5a5eb438ba1c978e48922f9ea30d50f

SHA256
afa70763c180373e6a669f3e5ad09141f5baa03e3d1a40e65e8ba36694c82d66

SHA512
4a1c440735af0db34eabe8698a3e28ab8658d62ecced39aeee2dfeee4a75653221ef91c0362311eb92d9752efe1d24aaf49d0fd191289eb75758ed201bd3f3b6

Download Submit
\??\c:\regedit.reg

Filesize
11KB

MD5
54b11bea17cfd51834a5e6cc265f1637

SHA1
1aa9823410a37e8e9a11b81b9b33f9e03f310ad7

SHA256
12af76d157ec14db12588aa0e97d2b0e69f822e2e83ba5909fdfd201f90c6378

SHA512
8b534df7d61c8ba1a55d2b51c4aae9074278a22a82a732ce199e08871fc0ff2b50c0db352ab52b3e1abcf9c5efc473ab33180a2df01423ec28203aa561fcbaf2

Download Submit
memory/60-83-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/60-75-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/60-71-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/60-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/60-74-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/60-73-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/60-72-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-66-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-55-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-56-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-54-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-57-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-58-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1468-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2332-63-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2332-59-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2332-62-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2332-61-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2332-60-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2332-68-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2332-64-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2900-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2900-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2900-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2900-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2900-86-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2900-78-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2900-76-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3168-48-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3168-38-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3168-44-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3168-45-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3168-39-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3168-41-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3168-46-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3388-40-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3388-36-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3388-37-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3388-42-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3388-43-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3388-47-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3388-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download