xworm | 3c2bfb840a89298362078051b0b0090acb291298cfa3189572ecdc954baaed0f

Analysis

max time kernel
43s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SamsungCommisonforgbz.rar
Size

98KB
MD5

9330d37c4bcf02a000ffe70aa5720230
SHA1

a8994e89130edf420de677ff38e075a40ad28d3a
SHA256

3c2bfb840a89298362078051b0b0090acb291298cfa3189572ecdc954baaed0f
SHA512

0eb4079be6b705e47d342765bb96f96ca8cd916e86502fe321327c29144e9e0ffea9603723861536b02db137dbf3cb9a4bab56567e362138405d79365489647a
SSDEEP

3072:uSJOBvUkaczRfb6iTYW5jdFtfSqCpv3S/1i:uaOVPJPT3fSqChSNi

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:24707

modified-begun.gl.at.ply.gg:24707

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cc6-20.dat	family_xworm
behavioral1/memory/776-23-0x0000000000AC0000-0x0000000000AD6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3820	powershell.exe
3332	powershell.exe
4408	powershell.exe
3292	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SamsungCommisionExternal.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk	SamsungCommisionExternal.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk	SamsungCommisionExternal.exe

Executes dropped EXE 1 IoCs

pid	Process
776	SamsungCommisionExternal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Smasmug = "C:\\Users\\Admin\\AppData\\Roaming\\Smasmug"	SamsungCommisionExternal.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "46"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
3820	powershell.exe
3820	powershell.exe
3332	powershell.exe
3332	powershell.exe
4408	powershell.exe
4408	powershell.exe
3292	powershell.exe
3292	powershell.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
776	SamsungCommisionExternal.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2316	7zFM.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2316	7zFM.exe
Token: 35	2316	7zFM.exe
Token: SeSecurityPrivilege	2316	7zFM.exe
Token: SeDebugPrivilege	776	SamsungCommisionExternal.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	776	SamsungCommisionExternal.exe
Token: SeDebugPrivilege	4516	taskmgr.exe
Token: SeSystemProfilePrivilege	4516	taskmgr.exe
Token: SeCreateGlobalPrivilege	4516	taskmgr.exe
Token: SeShutdownPrivilege	3332	shutdown.exe
Token: SeRemoteShutdownPrivilege	3332	shutdown.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2316	7zFM.exe
2316	7zFM.exe
2316	7zFM.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe
4516	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
776	SamsungCommisionExternal.exe
2684	LogonUI.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 3820	776	SamsungCommisionExternal.exe	88
PID 776 wrote to memory of 3820	776	SamsungCommisionExternal.exe	88
PID 776 wrote to memory of 3332	776	SamsungCommisionExternal.exe	90
PID 776 wrote to memory of 3332	776	SamsungCommisionExternal.exe	90
PID 776 wrote to memory of 4408	776	SamsungCommisionExternal.exe	92
PID 776 wrote to memory of 4408	776	SamsungCommisionExternal.exe	92
PID 776 wrote to memory of 3292	776	SamsungCommisionExternal.exe	94
PID 776 wrote to memory of 3292	776	SamsungCommisionExternal.exe	94
PID 776 wrote to memory of 3332	776	SamsungCommisionExternal.exe	110
PID 776 wrote to memory of 3332	776	SamsungCommisionExternal.exe	110

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SamsungCommisonforgbz.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2316

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2772

C:\Users\Admin\Desktop\real shit\SamsungCommisionExternal.exe
"C:\Users\Admin\Desktop\real shit\SamsungCommisionExternal.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\real shit\SamsungCommisionExternal.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SamsungCommisionExternal.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Smasmug'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Smasmug'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3332

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397e055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ghcg31zj.v0s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk

Filesize
747B

MD5
7d864381d0ae5c9df3213bece0be6770

SHA1
a26b370e05fde2181bb6821864e030319f183763

SHA256
59eb0d613371bab4c7dc2148e9923a35da499b5ee94d684acb0faf3bb675d5ed

SHA512
17fa38537923f0aa42e948d4027258a60ab1bb1df8523d82cc3fa5daa6077ec0453ea9609bee7515841e6b3f25d73fbd102297998d91926e4edbdf62481a5d5c

Download Submit
C:\Users\Admin\Desktop\real shit\SamsungCommisionExternal.exe

Filesize
63KB

MD5
6f30a565049364df3068b5bc88fd36d6

SHA1
2ca485eb96156bfc561acd69649cf3339da6c610

SHA256
e65d7f5beb1f383e07917e867fb3b18a59a597319d152ad148b37a8924b8780d

SHA512
c01edc2fe4e5ad26b9511cc0bc114221878cf961b436a091a79611ce27da69ce7cf58afdcc71d295ad25f08701b1eb16c0c298fd22fbcb69004f760ea2b89ffe

Download Submit
memory/776-101-0x00007FFCA4BE0000-0x00007FFCA56A1000-memory.dmp

Filesize
10.8MB

Download
memory/776-24-0x00007FFCA4BE0000-0x00007FFCA56A1000-memory.dmp

Filesize
10.8MB

Download
memory/776-23-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/776-22-0x00007FFCA4BE3000-0x00007FFCA4BE5000-memory.dmp

Filesize
8KB

Download
memory/776-83-0x00007FFCA4BE0000-0x00007FFCA56A1000-memory.dmp

Filesize
10.8MB

Download
memory/776-100-0x000000001D9E0000-0x000000001D9EC000-memory.dmp

Filesize
48KB

Download
memory/3292-72-0x0000021F66830000-0x0000021F66A4C000-memory.dmp

Filesize
2.1MB

Download
memory/3820-37-0x000002423F7E0000-0x000002423F9FC000-memory.dmp

Filesize
2.1MB

Download
memory/3820-34-0x000002423FB30000-0x000002423FB52000-memory.dmp

Filesize
136KB

Download
memory/4516-84-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-96-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-95-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-94-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-93-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-92-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-91-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-90-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-85-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-86-0x0000023170DB0000-0x0000023170DB1000-memory.dmp

Filesize
4KB

Download