e06c490758709eff468df8f8afda86b8411758fd93ee16e14e6153de5ee933e2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IAS.cmd
Size

31KB
MD5

e2e2b6fb84ed23b2950f26939c36fdf5
SHA1

7988b5c71397db6fc4a611a54f7d5622eef73f40
SHA256

e06c490758709eff468df8f8afda86b8411758fd93ee16e14e6153de5ee933e2
SHA512

70a14feca5efc2e699ab9f190fd508cf5aab0daa5c8447ac06f7da0b1cb32bd1781b5fa91440483b2fb4eac10ebd611b28e582ee364d2681bb131eee1fb9aeaf
SSDEEP

384:mNnhCo3piIUTUq5rrQmJbnl7+qK14TEJYab:mNn/ZiBAq5rrQmFl7G4gJYab

Score

6^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4652	powershell.exe
2360	powershell.exe
2520	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1816	sc.exe
1840	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3488	cmd.exe
4072	PING.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\WOW6432Node\CLSID\IAS_TEST	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Wow6432Node\CLSID\IAS_TEST	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\WOW6432Node\CLSID\IAS_TEST\	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4288	reg.exe
4392	reg.exe
1920	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4072	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4652	powershell.exe
4652	powershell.exe
2360	powershell.exe
2360	powershell.exe
2520	powershell.exe
2520	powershell.exe
3248	powershell.exe
3248	powershell.exe
2944	powershell.exe
2944	powershell.exe
2500	powershell.exe
2500	powershell.exe
2500	powershell.exe
2500	powershell.exe
2500	powershell.exe
2500	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
968	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 1816	808	cmd.exe	84
PID 808 wrote to memory of 1816	808	cmd.exe	84
PID 808 wrote to memory of 532	808	cmd.exe	85
PID 808 wrote to memory of 532	808	cmd.exe	85
PID 808 wrote to memory of 4936	808	cmd.exe	86
PID 808 wrote to memory of 4936	808	cmd.exe	86
PID 808 wrote to memory of 4564	808	cmd.exe	87
PID 808 wrote to memory of 4564	808	cmd.exe	87
PID 808 wrote to memory of 3956	808	cmd.exe	88
PID 808 wrote to memory of 3956	808	cmd.exe	88
PID 808 wrote to memory of 4992	808	cmd.exe	89
PID 808 wrote to memory of 4992	808	cmd.exe	89
PID 808 wrote to memory of 4996	808	cmd.exe	90
PID 808 wrote to memory of 4996	808	cmd.exe	90
PID 4996 wrote to memory of 1788	4996	cmd.exe	91
PID 4996 wrote to memory of 1788	4996	cmd.exe	91
PID 4996 wrote to memory of 1176	4996	cmd.exe	92
PID 4996 wrote to memory of 1176	4996	cmd.exe	92
PID 808 wrote to memory of 3796	808	cmd.exe	93
PID 808 wrote to memory of 3796	808	cmd.exe	93
PID 808 wrote to memory of 1164	808	cmd.exe	94
PID 808 wrote to memory of 1164	808	cmd.exe	94
PID 808 wrote to memory of 4652	808	cmd.exe	95
PID 808 wrote to memory of 4652	808	cmd.exe	95
PID 808 wrote to memory of 2984	808	cmd.exe	96
PID 808 wrote to memory of 2984	808	cmd.exe	96
PID 808 wrote to memory of 1912	808	cmd.exe	97
PID 808 wrote to memory of 1912	808	cmd.exe	97
PID 808 wrote to memory of 968	808	cmd.exe	98
PID 808 wrote to memory of 968	808	cmd.exe	98
PID 968 wrote to memory of 2360	968	conhost.exe	99
PID 968 wrote to memory of 2360	968	conhost.exe	99
PID 2360 wrote to memory of 3220	2360	powershell.exe	100
PID 2360 wrote to memory of 3220	2360	powershell.exe	100
PID 3220 wrote to memory of 1840	3220	cmd.exe	101
PID 3220 wrote to memory of 1840	3220	cmd.exe	101
PID 3220 wrote to memory of 1584	3220	cmd.exe	102
PID 3220 wrote to memory of 1584	3220	cmd.exe	102
PID 3220 wrote to memory of 3008	3220	cmd.exe	103
PID 3220 wrote to memory of 3008	3220	cmd.exe	103
PID 3220 wrote to memory of 4716	3220	cmd.exe	104
PID 3220 wrote to memory of 4716	3220	cmd.exe	104
PID 3220 wrote to memory of 3604	3220	cmd.exe	105
PID 3220 wrote to memory of 3604	3220	cmd.exe	105
PID 3220 wrote to memory of 2340	3220	cmd.exe	106
PID 3220 wrote to memory of 2340	3220	cmd.exe	106
PID 3220 wrote to memory of 3200	3220	cmd.exe	107
PID 3220 wrote to memory of 3200	3220	cmd.exe	107
PID 3200 wrote to memory of 4060	3200	cmd.exe	108
PID 3200 wrote to memory of 4060	3200	cmd.exe	108
PID 3200 wrote to memory of 2704	3200	cmd.exe	109
PID 3200 wrote to memory of 2704	3200	cmd.exe	109
PID 3220 wrote to memory of 4608	3220	cmd.exe	110
PID 3220 wrote to memory of 4608	3220	cmd.exe	110
PID 3220 wrote to memory of 2700	3220	cmd.exe	111
PID 3220 wrote to memory of 2700	3220	cmd.exe	111
PID 3220 wrote to memory of 2520	3220	cmd.exe	112
PID 3220 wrote to memory of 2520	3220	cmd.exe	112
PID 3220 wrote to memory of 1992	3220	cmd.exe	113
PID 3220 wrote to memory of 1992	3220	cmd.exe	113
PID 3220 wrote to memory of 1548	3220	cmd.exe	114
PID 3220 wrote to memory of 1548	3220	cmd.exe	114
PID 3220 wrote to memory of 3488	3220	cmd.exe	115
PID 3220 wrote to memory of 3488	3220	cmd.exe	115

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IAS.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:1816
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:532
- C:\Windows\System32\findstr.exe
  findstr /v "$" "IAS.cmd"
  2⤵
  PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:4564
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:3956
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:1788
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\IAS.cmd" "
  2⤵
  PID:3796
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\IAS.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:2984
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:1912
- C:\Windows\System32\conhost.exe
  conhost.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\AppData\Local\Temp\IAS.cmd""" -el -qedit'"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '\"C:\Users\Admin\AppData\Local\Temp\IAS.cmd\" -el -qedit'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\IAS.cmd" -el -qedit"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:1840
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:1584
    - - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "IAS.cmd"
        5⤵
        
        PID:3008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:4716
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:3604
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:2340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:4060
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:2704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\IAS.cmd" "
        5⤵
        
        PID:4608
    - - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\IAS.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        5⤵
        
        PID:1992
    - - C:\Windows\System32\fltMC.exe
        
        fltmc
        5⤵
        
        PID:1548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -4 -n 1 iasupdatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3488
      - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 iasupdatecheck.massgrave.dev
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:4400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul
        5⤵
        
        PID:2036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\\Software
        5⤵
        
        PID:2876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul
        5⤵
        
        PID:4496
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\Software
        5⤵
        
        PID:2228
    - - C:\Windows\System32\reg.exe
        
        reg delete HKCU\IAS_TEST /f
        5⤵
        Modifies registry key
        
        PID:4288
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\IAS_TEST /f
        5⤵
        
        PID:1744
    - - C:\Windows\System32\reg.exe
        
        reg add HKCU\IAS_TEST
        5⤵
        Modifies registry key
        
        PID:4392
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\IAS_TEST
        5⤵
        
        PID:3848
    - - C:\Windows\System32\reg.exe
        
        reg delete HKCU\IAS_TEST /f
        5⤵
        Modifies registry key
        
        PID:1920
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\IAS_TEST /f
        5⤵
        
        PID:3224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:2252
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        6⤵
        
        PID:1944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\DownloadManager" /v ExePath 2>nul
        5⤵
        
        PID:2264
      - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\DownloadManager" /v ExePath
        6⤵
        
        PID:3104
    - - C:\Windows\System32\reg.exe
        
        reg add HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
        5⤵
        Modifies registry class
        
        PID:60
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
        5⤵
        
        PID:744
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f
        5⤵
        Modifies registry class
        
        PID:1176
    - - C:\Windows\System32\mode.com
        
        mode 75, 28
        5⤵
        
        PID:2132
    - - C:\Windows\System32\choice.exe
        
        choice /C:123450 /N
        5⤵
        
        PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1f0f8c49b22409ca78499f5df1ce9456

SHA1
5300f7ed636959c8c8366418e891dbe49a3edba9

SHA256
429128efcec165baf50a81021e610933e1020f5298d865f7b30daf370fb22014

SHA512
ca976a7ab0ef4782c3003433e8d99d34d8060cb3a8790e787b56db1e207902b9dd15ecb6e76fecbd00f5e83a8add34329b25f86b90c62055f0d0d1de5607d2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3613f4d620a55c8844fa5dc2af72aaa6

SHA1
338c9acd3b47e1966eeb9bd77eaff0e1da09fe9e

SHA256
52d6fafd5d1d6b3ba7d86c578e58dd38b2226866687fc4dcdf67eb1de2171e8f

SHA512
1bbd9a544bb7dae3155cc85eccbeaf2634c4eb8339a2aee3d3bf3bc15426681e2fc073ed352a8f2100ac273a09fd784933ec9d8195cb3f8bf36b6d58072e7b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cdc88bf402fba8ca789c5d09d3fac971

SHA1
3d28efdd72586c632579de42a9b841b9495849a1

SHA256
326dffce68eaef9e47c49881f668d13e723ba4dd9fbb7f13811644e0ef9102bd

SHA512
752a1d957a2c760d81395b6f67b6349a05d8b966707bbeb096676f1e9fabda3d3f80961559486842d05652944bc6191d1f923fb4fe9dbbedce27477d474305c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mig2hzy.ob1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4652-0-0x0000028D01DD0000-0x0000028D01DF2000-memory.dmp

Filesize
136KB

Download