latentbot | 5dc147d924897e4952e97d7724a9d401c1036bd37f6e6045e8251ff675599beb

Analysis

max time kernel
141s
max time network
103s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Size

813KB
MD5

bf731bb4cf8fc8724c08864334e138a3
SHA1

2fd67abed797cbcb916125cb9d792f82cbad1d34
SHA256

5dc147d924897e4952e97d7724a9d401c1036bd37f6e6045e8251ff675599beb
SHA512

0a3ecd7f719f1b0b6097b686c73a5ae45ee5a7c874fcbfd89bb2e4d833ffd488738bf8704af580835ae228dc97b80f0a225c6b69d16e7d290ea198785d45c563
SSDEEP

12288:IlsKXp4DADHq8v/t43wJHFDhmS/ymmHcSrU0Qn7bcR0GYeATgUhVnRIF:41XptDHLuw1Nb/p93Rn3cR89MUhxRI

Score

10^/10

latentbot defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

latentbot

terranostra.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe:*:Enabled:udsc"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
2760	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tsunlim = "c:\\windows\\tsunlim.exe"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\breakts = "0"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\EnableConcurrentSessions = "1"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 1 IoCs

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\termsrv.dll	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\breakts = "0"	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.execmd.exe

description	ioc	Process
File created	\??\c:\windows\ig.fgggf	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
File created	\??\c:\windows\tsunlim.exe	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\tsunlim.exe	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
File created	C:\WINDOWS\ServicePackFiles\i386\termsrv.dll	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
File created	\??\c:\windows\ipconfig.txt	cmd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net1.exenet.exeipconfig.exenet.exenet.exenet1.exenet1.exenet1.exebf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.execmd.exenet.exenet.execmd.execmd.execmd.execmd.execmd.exenet1.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
2820	ipconfig.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.execmd.exenet.execmd.execmd.exenet.exenet.execmd.exenet.exe

description	pid	Process	procid_target
PID 2508 wrote to memory of 2052	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	29
PID 2508 wrote to memory of 2052	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	29
PID 2508 wrote to memory of 2052	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	29
PID 2508 wrote to memory of 2052	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	29
PID 2508 wrote to memory of 1092	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1092	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1092	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1092	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1644	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	31
PID 2508 wrote to memory of 1644	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	31
PID 2508 wrote to memory of 1644	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	31
PID 2508 wrote to memory of 1644	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2324	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2324	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2324	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2324	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	32
PID 2508 wrote to memory of 1472	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	33
PID 2508 wrote to memory of 1472	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	33
PID 2508 wrote to memory of 1472	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	33
PID 2508 wrote to memory of 1472	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2240	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	34
PID 2508 wrote to memory of 2240	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	34
PID 2508 wrote to memory of 2240	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	34
PID 2508 wrote to memory of 2240	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	34
PID 2508 wrote to memory of 2180	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	35
PID 2508 wrote to memory of 2180	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	35
PID 2508 wrote to memory of 2180	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	35
PID 2508 wrote to memory of 2180	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	35
PID 2508 wrote to memory of 2456	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	36
PID 2508 wrote to memory of 2456	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	36
PID 2508 wrote to memory of 2456	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	36
PID 2508 wrote to memory of 2456	2508	bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe	36
PID 2456 wrote to memory of 2820	2456	cmd.exe	46
PID 2456 wrote to memory of 2820	2456	cmd.exe	46
PID 2456 wrote to memory of 2820	2456	cmd.exe	46
PID 2456 wrote to memory of 2820	2456	cmd.exe	46
PID 2324 wrote to memory of 2736	2324	net.exe	45
PID 2324 wrote to memory of 2736	2324	net.exe	45
PID 2324 wrote to memory of 2736	2324	net.exe	45
PID 2324 wrote to memory of 2736	2324	net.exe	45
PID 1092 wrote to memory of 2832	1092	cmd.exe	47
PID 1092 wrote to memory of 2832	1092	cmd.exe	47
PID 1092 wrote to memory of 2832	1092	cmd.exe	47
PID 1092 wrote to memory of 2832	1092	cmd.exe	47
PID 1472 wrote to memory of 2868	1472	cmd.exe	48
PID 1472 wrote to memory of 2868	1472	cmd.exe	48
PID 1472 wrote to memory of 2868	1472	cmd.exe	48
PID 1472 wrote to memory of 2868	1472	cmd.exe	48
PID 1644 wrote to memory of 2876	1644	net.exe	49
PID 1644 wrote to memory of 2876	1644	net.exe	49
PID 1644 wrote to memory of 2876	1644	net.exe	49
PID 1644 wrote to memory of 2876	1644	net.exe	49
PID 2868 wrote to memory of 2824	2868	net.exe	50
PID 2868 wrote to memory of 2824	2868	net.exe	50
PID 2868 wrote to memory of 2824	2868	net.exe	50
PID 2868 wrote to memory of 2824	2868	net.exe	50
PID 2180 wrote to memory of 2760	2180	cmd.exe	51
PID 2180 wrote to memory of 2760	2180	cmd.exe	51
PID 2180 wrote to memory of 2760	2180	cmd.exe	51
PID 2180 wrote to memory of 2760	2180	cmd.exe	51
PID 2832 wrote to memory of 2888	2832	net.exe	52
PID 2832 wrote to memory of 2888	2832	net.exe	52
PID 2832 wrote to memory of 2888	2832	net.exe	52
PID 2832 wrote to memory of 2888	2832	net.exe	52

C:\Users\Admin\AppData\Local\Temp\bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf731bb4cf8fc8724c08864334e138a3_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /q c:\windows\system32\dllcache\terms*.*
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net user breakts hacker /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\net.exe
    net user breakts hacker /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user breakts hacker /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
- C:\Windows\SysWOW64\net.exe
  net localgroup administradores breakts /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administradores breakts /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Windows\SysWOW64\net.exe
  net group "Domain Admins" BreakTS /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "Domain Admins" BreakTS /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop sharedaccess
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode disable
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /all > c:\windows\ipconfig.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\ipconfig.txt

Filesize
1KB

MD5
36ca8dc5fa7d91e94fc9db1bb3e078a3

SHA1
13eed34e8e7010c3bd57fb07d20e97137aebd643

SHA256
4a28728671867ecdd18089c6a3880665aef85e5c70b101e3f22cc87385c0a67e

SHA512
57535b09b5d00aa08c81572ac1b9803f472b738418b1c0f21e175d267f3150450acd748b2ba69024b2453e571e199dba74cdb5877c4d3ca2677b070e2a34fa51

Download Submit
memory/2508-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2508-3-0x0000000009880000-0x0000000009952000-memory.dmp

Filesize
840KB

Download
memory/2508-5-0x0000000009880000-0x0000000009952000-memory.dmp

Filesize
840KB

Download
memory/2508-29-0x0000000009880000-0x0000000009952000-memory.dmp

Filesize
840KB

Download