nanocore | d9e24d334fecee03e1da9c981510cfad9f144c62088a6321b557619f7d5dfc18

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IBAN for SWIFT.rtf
Size

725KB
MD5

fe46a6ba34a922c039c28678872177b4
SHA1

29c4422252ae39409c4396a38ce2203e7cb060db
SHA256

d9e24d334fecee03e1da9c981510cfad9f144c62088a6321b557619f7d5dfc18
SHA512

3ea5e8038015cae338054624a43f9ef5b9d2101a1d85356cde7d0ef0d18b18a6166fb2292593c0505fd89b81c45dbfb7d44c8117cbe5c46d9ec5ddfa3e4f9496
SSDEEP

6144:OwAYwAYwAXf6F0DeapmgknQbW9aoMaQRH3yCd3Lqc:6

Score

10^/10

nanocore discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

pnauco5.ddns.net:1664

Mutex

eb1d64e5-aaff-4fba-ba9c-c06fefd3c3fb

Attributes

activate_away_mode
true
backup_connection_host
pnauco5.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-06-22T21:33:04.863019036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1664
default_group
CAT
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
eb1d64e5-aaff-4fba-ba9c-c06fefd3c3fb
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
pnauco5.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1496	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1064	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2860	catat556529.exe
1792	catat556529.exe
676	catat556529.exe
1108	catat556529.exe

Loads dropped DLL 1 IoCs

pid	Process
1496	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Manager = "C:\\Program Files (x86)\\UDP Manager\\udpmgr.exe"	catat556529.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	catat556529.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 1108	2860	catat556529.exe	40

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Manager\udpmgr.exe	catat556529.exe
File opened for modification	C:\Program Files (x86)\UDP Manager\udpmgr.exe	catat556529.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	catat556529.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	catat556529.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1496	EQNEDT32.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2128	schtasks.exe
1192	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2012	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2860	catat556529.exe
2860	catat556529.exe
2860	catat556529.exe
2860	catat556529.exe
1064	powershell.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe
1108	catat556529.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1108	catat556529.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	catat556529.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1108	catat556529.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2012	WINWORD.EXE
2012	WINWORD.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2860	1496	EQNEDT32.EXE	32
PID 1496 wrote to memory of 2860	1496	EQNEDT32.EXE	32
PID 1496 wrote to memory of 2860	1496	EQNEDT32.EXE	32
PID 1496 wrote to memory of 2860	1496	EQNEDT32.EXE	32
PID 2012 wrote to memory of 2624	2012	WINWORD.EXE	35
PID 2012 wrote to memory of 2624	2012	WINWORD.EXE	35
PID 2012 wrote to memory of 2624	2012	WINWORD.EXE	35
PID 2012 wrote to memory of 2624	2012	WINWORD.EXE	35
PID 2860 wrote to memory of 1064	2860	catat556529.exe	36
PID 2860 wrote to memory of 1064	2860	catat556529.exe	36
PID 2860 wrote to memory of 1064	2860	catat556529.exe	36
PID 2860 wrote to memory of 1064	2860	catat556529.exe	36
PID 2860 wrote to memory of 676	2860	catat556529.exe	38
PID 2860 wrote to memory of 676	2860	catat556529.exe	38
PID 2860 wrote to memory of 676	2860	catat556529.exe	38
PID 2860 wrote to memory of 676	2860	catat556529.exe	38
PID 2860 wrote to memory of 1792	2860	catat556529.exe	39
PID 2860 wrote to memory of 1792	2860	catat556529.exe	39
PID 2860 wrote to memory of 1792	2860	catat556529.exe	39
PID 2860 wrote to memory of 1792	2860	catat556529.exe	39
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 2860 wrote to memory of 1108	2860	catat556529.exe	40
PID 1108 wrote to memory of 1192	1108	catat556529.exe	41
PID 1108 wrote to memory of 1192	1108	catat556529.exe	41
PID 1108 wrote to memory of 1192	1108	catat556529.exe	41
PID 1108 wrote to memory of 1192	1108	catat556529.exe	41
PID 1108 wrote to memory of 2128	1108	catat556529.exe	43
PID 1108 wrote to memory of 2128	1108	catat556529.exe	43
PID 1108 wrote to memory of 2128	1108	catat556529.exe	43
PID 1108 wrote to memory of 2128	1108	catat556529.exe	43

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IBAN for SWIFT.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2624

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Roaming\catat556529.exe
  "C:\Users\Admin\AppData\Roaming\catat556529.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\catat556529.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Users\Admin\AppData\Roaming\catat556529.exe
    "C:\Users\Admin\AppData\Roaming\catat556529.exe"
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\Users\Admin\AppData\Roaming\catat556529.exe
    "C:\Users\Admin\AppData\Roaming\catat556529.exe"
    3⤵
    - Executes dropped EXE
    PID:1792
- - C:\Users\Admin\AppData\Roaming\catat556529.exe
    "C:\Users\Admin\AppData\Roaming\catat556529.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "UDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF7E6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1192
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "UDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF854.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF7E6.tmp

Filesize
1KB

MD5
951d0024fbd20ba001be2472e94b14f9

SHA1
7eece72e8ac47ecf74a90c02b10e2bd3e533d8c3

SHA256
63a40a9230307008f4417015555e307f59c2879e7f07b2128c7865cc5aea6498

SHA512
1ee0508dbba3bb13c77377ba0a47f42f4a3d37d80341ed3ed4de17ebae50dbc4003828ecf472b52172b665eb42d33239ff320757788056c8809ad21b5c414e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF854.tmp

Filesize
1KB

MD5
c1c4b266e129249076bbe8a15cc5e06c

SHA1
312b8173c264245c834eee91e05dcca845c341f8

SHA256
f336d06dcadca621be6b2dc9493dcb84d871497e65142bc9fdd72c9f250a1b7b

SHA512
0f02ec7700f89d95d29014eec42d13c85234351c3fe1dc6a3efeea52ea76ca4bea3151567a6c798b5ce658d481b424646b43d93e95ccad897356a87a25d45041

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
3c4d4fafcdc9c94ec9e6b183c55dcc8e

SHA1
3c67ba341c9e52449a84d8a83671a3e4a9a4fe67

SHA256
c7df42e9f521d7e7e0ed645cec3bb383620f9418763b0ca4e235c2cd99b815f9

SHA512
20eabb25c1dc0bfdb9f4829310e5f53b0fcdc60875c919567b81417c6642fdc490f1fb035c13d7d6f5d9d12a8bbe24dc8b73820766d8d522dd3462e4b480c6c8

Download Submit
\Users\Admin\AppData\Roaming\catat556529.exe

Filesize
586KB

MD5
c57605f42ee1a9bca80cbbc689d2999e

SHA1
538b4237b1fc2305a2bdf843417c0ba2c73d4599

SHA256
a50cfb5151a5a5f566c33e17333df9c56d052ff2a0b4b41732ed8dd50b306e9a

SHA512
9200ebea30dab0769baf9e4ad64ddd63c8905d6253d90313403cfeec407b42553d32987fc1d1db4b19445ac9bfb51fd91f0ea9ad1236e432624d4a9b09932af1

Download Submit
memory/1108-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-44-0x0000000000520000-0x000000000053E000-memory.dmp

Filesize
120KB

Download
memory/1108-59-0x0000000001F90000-0x0000000001FA4000-memory.dmp

Filesize
80KB

Download
memory/1108-58-0x0000000002280000-0x00000000022AE000-memory.dmp

Filesize
184KB

Download
memory/1108-57-0x0000000001F30000-0x0000000001F3E000-memory.dmp

Filesize
56KB

Download
memory/1108-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1108-56-0x0000000001F20000-0x0000000001F34000-memory.dmp

Filesize
80KB

Download
memory/1108-55-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/1108-43-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1108-54-0x0000000000AF0000-0x0000000000B04000-memory.dmp

Filesize
80KB

Download
memory/1108-45-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/1108-48-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/1108-49-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/1108-50-0x0000000000810000-0x000000000081E000-memory.dmp

Filesize
56KB

Download
memory/1108-51-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/1108-52-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/1108-53-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2012-2-0x000000007136D000-0x0000000071378000-memory.dmp

Filesize
44KB

Download
memory/2012-0-0x000000002F781000-0x000000002F782000-memory.dmp

Filesize
4KB

Download
memory/2012-16-0x000000007136D000-0x0000000071378000-memory.dmp

Filesize
44KB

Download
memory/2012-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2012-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2860-15-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2860-14-0x00000000000F0000-0x0000000000186000-memory.dmp

Filesize
600KB

Download
memory/2860-17-0x00000000052C0000-0x000000000533A000-memory.dmp

Filesize
488KB

Download