ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369

Analysis

max time kernel
148s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369.vbe
Size

10KB
MD5

90d3ad68895627841ba7ac18079fc0b1
SHA1

a00920b635b500f67983ab4bed25a38df9bd5549
SHA256

ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369
SHA512

8e3d459a1d11cadfc336c364918c97ecf0004418afb890bd3b36e9139d30bfe956266f2e87e29e2e5df46b01e94c1bc64b9964b3a556ad64f6a5b2a8afb493b6
SSDEEP

192:xXNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5FYleLMl/1uw5YOAxJhHFK:xNElLAAKjBLf1UWobElwMl/mHHs

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2416	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2644	powershell.exe
2644	powershell.exe
1972	powershell.exe
1972	powershell.exe
1176	powershell.exe
1176	powershell.exe
2248	powershell.exe
2248	powershell.exe
1580	powershell.exe
1580	powershell.exe
2020	powershell.exe
2020	powershell.exe
1368	powershell.exe
1368	powershell.exe
2576	powershell.exe
2576	powershell.exe
2612	powershell.exe
2612	powershell.exe
1636	powershell.exe
1636	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 2752	712	taskeng.exe	32
PID 712 wrote to memory of 2752	712	taskeng.exe	32
PID 712 wrote to memory of 2752	712	taskeng.exe	32
PID 2752 wrote to memory of 2644	2752	WScript.exe	34
PID 2752 wrote to memory of 2644	2752	WScript.exe	34
PID 2752 wrote to memory of 2644	2752	WScript.exe	34
PID 2644 wrote to memory of 2620	2644	powershell.exe	36
PID 2644 wrote to memory of 2620	2644	powershell.exe	36
PID 2644 wrote to memory of 2620	2644	powershell.exe	36
PID 2752 wrote to memory of 1972	2752	WScript.exe	37
PID 2752 wrote to memory of 1972	2752	WScript.exe	37
PID 2752 wrote to memory of 1972	2752	WScript.exe	37
PID 1972 wrote to memory of 2940	1972	powershell.exe	39
PID 1972 wrote to memory of 2940	1972	powershell.exe	39
PID 1972 wrote to memory of 2940	1972	powershell.exe	39
PID 2752 wrote to memory of 1176	2752	WScript.exe	40
PID 2752 wrote to memory of 1176	2752	WScript.exe	40
PID 2752 wrote to memory of 1176	2752	WScript.exe	40
PID 1176 wrote to memory of 1952	1176	powershell.exe	42
PID 1176 wrote to memory of 1952	1176	powershell.exe	42
PID 1176 wrote to memory of 1952	1176	powershell.exe	42
PID 2752 wrote to memory of 2248	2752	WScript.exe	43
PID 2752 wrote to memory of 2248	2752	WScript.exe	43
PID 2752 wrote to memory of 2248	2752	WScript.exe	43
PID 2248 wrote to memory of 2544	2248	powershell.exe	45
PID 2248 wrote to memory of 2544	2248	powershell.exe	45
PID 2248 wrote to memory of 2544	2248	powershell.exe	45
PID 2752 wrote to memory of 1580	2752	WScript.exe	46
PID 2752 wrote to memory of 1580	2752	WScript.exe	46
PID 2752 wrote to memory of 1580	2752	WScript.exe	46
PID 1580 wrote to memory of 2316	1580	powershell.exe	48
PID 1580 wrote to memory of 2316	1580	powershell.exe	48
PID 1580 wrote to memory of 2316	1580	powershell.exe	48
PID 2752 wrote to memory of 2020	2752	WScript.exe	49
PID 2752 wrote to memory of 2020	2752	WScript.exe	49
PID 2752 wrote to memory of 2020	2752	WScript.exe	49
PID 2020 wrote to memory of 676	2020	powershell.exe	51
PID 2020 wrote to memory of 676	2020	powershell.exe	51
PID 2020 wrote to memory of 676	2020	powershell.exe	51
PID 2752 wrote to memory of 1368	2752	WScript.exe	52
PID 2752 wrote to memory of 1368	2752	WScript.exe	52
PID 2752 wrote to memory of 1368	2752	WScript.exe	52
PID 1368 wrote to memory of 2352	1368	powershell.exe	54
PID 1368 wrote to memory of 2352	1368	powershell.exe	54
PID 1368 wrote to memory of 2352	1368	powershell.exe	54
PID 2752 wrote to memory of 2576	2752	WScript.exe	55
PID 2752 wrote to memory of 2576	2752	WScript.exe	55
PID 2752 wrote to memory of 2576	2752	WScript.exe	55
PID 2576 wrote to memory of 2812	2576	powershell.exe	57
PID 2576 wrote to memory of 2812	2576	powershell.exe	57
PID 2576 wrote to memory of 2812	2576	powershell.exe	57
PID 2752 wrote to memory of 2612	2752	WScript.exe	58
PID 2752 wrote to memory of 2612	2752	WScript.exe	58
PID 2752 wrote to memory of 2612	2752	WScript.exe	58
PID 2612 wrote to memory of 1808	2612	powershell.exe	60
PID 2612 wrote to memory of 1808	2612	powershell.exe	60
PID 2612 wrote to memory of 1808	2612	powershell.exe	60
PID 2752 wrote to memory of 1636	2752	WScript.exe	61
PID 2752 wrote to memory of 1636	2752	WScript.exe	61
PID 2752 wrote to memory of 1636	2752	WScript.exe	61
PID 1636 wrote to memory of 2264	1636	powershell.exe	63
PID 1636 wrote to memory of 2264	1636	powershell.exe	63
PID 1636 wrote to memory of 2264	1636	powershell.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369.vbe"
1⤵
- Blocklisted process makes network request
PID:2416

C:\Windows\system32\taskeng.exe
taskeng.exe {63A9BA4F-B04D-4A31-884E-C90664C26936} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\FRMEMFMdrhTBazq.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2644" "1228"
      4⤵
      PID:2620
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1972" "1248"
      4⤵
      PID:2940
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1176" "1240"
      4⤵
      PID:1952
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2248" "1248"
      4⤵
      PID:2544
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1580" "1240"
      4⤵
      PID:2316
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2020" "1244"
      4⤵
      PID:676
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1368" "1240"
      4⤵
      PID:2352
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2576" "1236"
      4⤵
      PID:2812
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2612" "1228"
      4⤵
      PID:1808
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1636" "1240"
      4⤵
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259450976.txt

Filesize
1KB

MD5
3a4e417c44efef6193f2ed9aac644818

SHA1
0bb429764f6e7d10601a01d835322fcd13234a4d

SHA256
7fae41604b411c8540ba6c1a77006ad343f282dc0029375a6e0fa3a22791cf66

SHA512
67bfc850ca1adbaa409444062dc65ec1bea7fe28f3dbb591e783c0a80a1c45f1b462dbcc9a4bd6c245fb3ea9ab7a3c4bbf30b286a3642793c1179a011816d6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259464207.txt

Filesize
1KB

MD5
e2241b33367d7dc2044f7e739515c35c

SHA1
72fdc68be2d81a585ddfb86ee83445c438f008f6

SHA256
a2ea1a4ba0778e6b96869e6a6f2fa147708bd15edfde693cb23063ccedd4bc77

SHA512
5aac6047cd6b6cbb3f1efa56644162763689006eb4ad978129be8a499cd2673cb218b201153c8bd3d8230e119c30b4a439ce2690d9fd4757dd092db9d47dbeee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259478033.txt

Filesize
1KB

MD5
96fdb1301613a5ff0763ff9f60e3a437

SHA1
4ada4c027f7f0835e358fc71d3cdf36b9d99c76a

SHA256
eea0abfc69ed81834cf297a936e19bc0d0fe57f400301f0066c4a4fb82a7d5dd

SHA512
606dcb46a2c5474c2db6eb94c59ab9f12eacd8385ab8d9dd42fbd74a75e31bf87333b0d524d1540b99b63c3427344d848b55c310ac21535d9b5fb0266f3fb9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259496301.txt

Filesize
1KB

MD5
c17670889002703aa71e80342c1024eb

SHA1
e39b54bbf5c7276a0fa64f65d6302a59985bc34b

SHA256
cac0a129754f6ccbc895cf572aa62efcf3e4f88dbfe4da6e757b198f47ccad5e

SHA512
d16f96c6ca69ad8695c2827cb8b615ebfe41867906fd24de7b1f9715d21037dc9f66558b54bb6d628d9f48a4351152bee65e68d236dbe6d7b9d769bf12a2eae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259508956.txt

Filesize
1KB

MD5
fce42340438d72240e46575e7cdac110

SHA1
edcca18b3fd77b47d72c9d710d3a4c6a9b956c72

SHA256
c140bf872551a495f9756c57e7a94526c9450dbabcbaea9a29864bace052f0cb

SHA512
0f1177876a2b7e53a1204a401b967d63bc043ef50605989c4f794dc0e14984aec6580dcc6f2504a347500a878d2c2334ae35863cc8cd564d7975b6015abb02ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259526623.txt

Filesize
1KB

MD5
52f846784fb72a463eeab5dab744bd33

SHA1
e9c1aea59e096f6026ad60b6f12cdc618ebfb0e3

SHA256
8ba9779ae947732b8b0a18a10d28a1af51f955429f40fcbea586c01c53741064

SHA512
f6f50fe8c2b66d71984c1b9933f170a581f3d145af97389ed344068d588b8ce1e00222ae8fcb0530de1bc936c2a981fe46fd42edadb1e00b9038dcb875d75754

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259540702.txt

Filesize
1KB

MD5
65d13d486b843b11b982034cd07eeacc

SHA1
a5c563758d60bf3fd4a5401a0d8dd677dc193934

SHA256
84964621758e0c60af6bb57dbfa9f82098108d86b94f37bbe6de3094590ca339

SHA512
de1cc7be416e56ccff1186fc325f63859b30df1d8d3f262c4abbb90268ca01ad258d4860721c91b4a85fce37078130d9b78464368b26576a6c531e586f37eff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259553083.txt

Filesize
1KB

MD5
7df74394cd463b644b7d10cfc5e7b8ea

SHA1
1bfa02f9a94ccb9acb05ae90e3b28e096ac6509b

SHA256
2934e3078a81119fe81736edae415c7f91414ee33c47ef0b5b168a19c2874aa6

SHA512
6943808750f4b2e84e4a7ea4582521f04827a73a1de0ede8cf39ae061b5c92ffa13ad90e906d77c5e39a1c32b1de22f6eb234a9ab765a78ccb1ceee909b09642

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259568485.txt

Filesize
1KB

MD5
2fd25935615d592c6ce09d7b41f6ba52

SHA1
1f2e0e3f7db8f3e445fb43e88c0657b1aac6782a

SHA256
140f0030fd2f6ef486854c75935d71406865e46e11e0ce58be0a63c388fe0208

SHA512
dcc41e80350e5e6e1cab54aeedf9ef770332196dd6eb050b7233f1b7525b61035058c140d3ec70d005917ec4f72406f3d4de2365103f6b2f58c0b7b4d51247f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259584892.txt

Filesize
1KB

MD5
f102c4b2da74c90c0e194b1da157e6af

SHA1
667268888d62c74207dae0e57c163956bc192c9e

SHA256
b4dae8a21ab5cd1ba30691544b61438f186a3f7aedaa051fdcc5dcbcb9677f23

SHA512
1f1230476a4b6300f5c423c1c9ebe43003172d113ba4aeee4a793e43f94f47f00fc05a0bfc2fc10f055cc82f38171f4019813993e79b481221c31a0bfa80fdce

Download Submit
C:\Users\Admin\AppData\Roaming\FRMEMFMdrhTBazq.vbs

Filesize
2KB

MD5
e26532ee5fd577e459897da6e2d1fd35

SHA1
fd22513992dd197796bdd70a15d0e91fedcc230c

SHA256
e5441fd6bf5a366d4144553a3caf44ed09d6fb7cb085de728579c556def1e329

SHA512
c44fe8cd1c9d0f3727d15a08cb288fec1593deecc2bee5bde9a00c7f8d241f014c0a539ae6c1c0c05e2243d81046855f62a19633f6b17d238303e475271055b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d076281a8d3d2e6bde6f2bcc189c0d9a

SHA1
0fcfa50f2d337c0c835943d13e00207850f837a7

SHA256
52d938af9a478019e13f86deef52a7f3b98fb86145d8822aa77fe3a1ca77f455

SHA512
90e8e766b6d9faa771a853cdd3438fed31511dd7c12c2418a44db75bedd53981c5f959293e37cc2137b541c1158ac99d174b7bc29dedd4b2588fe7f6cbea98de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\US7A5R10YULIDBV0GPM2.temp

Filesize
7KB

MD5
ca3eeb91f7512704945382c3297d0973

SHA1
be16cfe10c9dc6ec8486ed0d53cd5a6c4c264f8e

SHA256
f52a074867cb86705e89f52ddf8580cc92eecd3f8094353c510a65b7dcc72cfc

SHA512
fb7d16eb2a534911ed5273121f0123ca32f1c9ad59d6350235b76485197723e469f1aadcc5c28d2cfc3fa7b7d26af21dba63abd6dd76b32577485253b512e074

Download Submit
memory/1972-18-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/1972-17-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2644-6-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2644-7-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2644-8-0x0000000002AD0000-0x0000000002ADA000-memory.dmp

Filesize
40KB

Download