ramnit | e5f86bb461811179e1a4e45dc11f78616a73e9e2c471c82244a5693a1db93255

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe
Size

166KB
MD5

f5bd5c44a6eccf5f5267d2f276fbdbf3
SHA1

fb2a00f06edd413864368786b7959beb456a1bec
SHA256

e5f86bb461811179e1a4e45dc11f78616a73e9e2c471c82244a5693a1db93255
SHA512

9ec475423b6b45c5e4a3fea0e3161ec296bb639389aa354a9c59b20feabc08c17489a34d0ca3a97992c705648abc01c125855c7cd8a3bdd9a87ed2564be139fe
SSDEEP

3072:npSEyBZks6zJ8XfwBOg3jO8vmk/Y3PFdEHlizroo/f0n8gJltp:p7IZks6zJEfwBOg3S8uk/+PuYzrFXQ8o

Score

10^/10

ramnit banker defense_evasion discovery evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\vkecccdj\\envomcma.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\envomcma.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\envomcma.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
2160	vvqjreogoeimdkvv.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2248	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe
2248	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe
1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EnvOmcma = "C:\\Users\\Admin\\AppData\\Local\\vkecccdj\\envomcma.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvqjreogoeimdkvv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
Token: SeDebugPrivilege	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
Token: SeSecurityPrivilege	2104	svchost.exe
Token: SeSecurityPrivilege	2520	svchost.exe
Token: SeDebugPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeSecurityPrivilege	2160	vvqjreogoeimdkvv.exe
Token: SeLoadDriverPrivilege	2160	vvqjreogoeimdkvv.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1964	2248	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1964	2248	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2104	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	31
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2520	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	32
PID 1964 wrote to memory of 2160	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	34
PID 1964 wrote to memory of 2160	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	34
PID 1964 wrote to memory of 2160	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	34
PID 1964 wrote to memory of 2160	1964	f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe	34

C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks BIOS information in registry
    - Drops startup file
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\vvqjreogoeimdkvv.exe
    "C:\Users\Admin\AppData\Local\Temp\vvqjreogoeimdkvv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\f5bd5c44a6eccf5f5267d2f276fbdbf3_JaffaCakes118mgr.exe

Filesize
114KB

MD5
aa90720d221cfcd886079a1e45153beb

SHA1
1dd3aa721f00bd5cfb1388f232d0c820add2e4cc

SHA256
d1c85438bd36cb0c3651b1d9c6cdfe875bd6551093104706efb07417d3939be7

SHA512
2f96f1bc3a9e403f5f15d1b35a7d13ba78793891bd278408611cf3fa74be54589b0926df3820ba4d1e2ac9f8600eace174ec30f0453ea961d239f80538f7047d

Download Submit
memory/1964-84-0x000000007765F000-0x0000000077660000-memory.dmp

Filesize
4KB

Download
memory/1964-74-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1964-19-0x0000000000400000-0x0000000000438AA8-memory.dmp

Filesize
226KB

Download
memory/1964-18-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1964-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1964-14-0x0000000000400000-0x0000000000438AA8-memory.dmp

Filesize
226KB

Download
memory/1964-83-0x0000000002A60000-0x0000000002A99000-memory.dmp

Filesize
228KB

Download
memory/1964-75-0x0000000000400000-0x0000000000438AA8-memory.dmp

Filesize
226KB

Download
memory/1964-45-0x000000007765F000-0x0000000077660000-memory.dmp

Filesize
4KB

Download
memory/1964-17-0x0000000000400000-0x0000000000438AA8-memory.dmp

Filesize
226KB

Download
memory/1964-93-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2104-28-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2104-36-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2104-35-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2104-34-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2104-33-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2104-29-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2104-21-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2104-27-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2104-23-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2160-99-0x0000000000400000-0x0000000000438AA8-memory.dmp

Filesize
226KB

Download
memory/2160-94-0x0000000000400000-0x0000000000438AA8-memory.dmp

Filesize
226KB

Download
memory/2160-100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-13-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/2248-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2248-11-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/2248-112-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/2248-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2520-46-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-103-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-39-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-62-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-63-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-101-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-102-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-56-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-104-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-105-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-106-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-108-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-109-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-110-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2520-55-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download