Overview

overview

10

Static

static

10

XWorm-Rat-...er.exe

windows10-2004-x64

1

XWorm-Rat-...NC.exe

windows10-2004-x64

8

XWorm-Rat-...er.exe

windows10-2004-x64

1

XWorm-Rat-...UI.exe

windows10-2004-x64

10

XWorm-Rat-...ib.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe

  • Size

    1.9MB

  • MD5

    4904329d091687c9deb08d9bd7282e77

  • SHA1

    bcf7fcebb52cad605cb4de65bdd077e600475cc7

  • SHA256

    e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd

  • SHA512

    b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb

  • SSDEEP

    24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr

Score
8/10
agilenetexecutionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4956
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1200
    • C:\Users\Admin\Downloads\XHVNC-Client.exe
      "C:\Users\Admin\Downloads\XHVNC-Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1168
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EHYBJ2 127.0.0.1 8000 LW3RDU
        2⤵
          PID:1968
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2284
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1548
      • C:\Users\Admin\Downloads\XHVNC-Client.exe
        "C:\Users\Admin\Downloads\XHVNC-Client.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          2⤵
            PID:4016
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" EHYBJ2 127.0.0.1 8000 LW3RDU
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3280
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c taskkill /F /IM brave.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2212
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM brave.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:756
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c taskkill /F /IM chrome.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1196
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM chrome.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1684
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c taskkill /F /IM msedge.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4320
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM msedge.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5012
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c taskkill /F /IM firefox.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4500
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM firefox.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3364
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c taskkill /F /IM opera.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2896
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM opera.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4072
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c powershell.exe -exec bypass -File "C:\Users\Admin\AppData\Local\Temp\ResetScale.ps1"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3356
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -exec bypass -File "C:\Users\Admin\AppData\Local\Temp\ResetScale.ps1"
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3448
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p2a3iivy\p2a3iivy.cmdline"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1056
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5C7.tmp" "c:\Users\Admin\AppData\Local\Temp\p2a3iivy\CSC20C000A388D405EB8763A7EFCFF3EDC.TMP"
                    6⤵
                      PID:3204

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Active Setup

          1
          T1547.014

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Active Setup

          1
          T1547.014

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Query Registry

          3
          T1012

          Peripheral Device Discovery

          2
          T1120

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XHVNC-Client.exe.log
            Filesize

            1KB

            MD5

            3982d6d16fd43ae609fd495bb33433a2

            SHA1

            6c33cd681fdfd9a844a3128602455a768e348765

            SHA256

            9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

            SHA512

            4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133640140580911556.txt
            Filesize

            75KB

            MD5

            ec861d1b31e9e99a4a6548f1e0b504e1

            SHA1

            8bf1243597aba54793caf29c5e6c258507f15652

            SHA256

            9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da

            SHA512

            30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
            Filesize

            94KB

            MD5

            14ff402962ad21b78ae0b4c43cd1f194

            SHA1

            f8a510eb26666e875a5bdd1cadad40602763ad72

            SHA256

            fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

            SHA512

            daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\AFBNP.exe
            Filesize

            1KB

            MD5

            1d1fb7b7379b8a94ea375ccf0e1c66fb

            SHA1

            ba38186e21250aba3a2d227ad72cacfe7a17fefd

            SHA256

            a79344788106e8a3e997e1d944bc09c51976ce011914ed783476f25aa90b0bb4

            SHA512

            9115bc3352bcec53ff54dd990516b03746c67480c4f96277fb8c0b099388fc3220492fde61a61f9c341c1a44aeca6a2fe355569169a698cd0b8878caa517d8ed

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\RESE5C7.tmp
            Filesize

            1KB

            MD5

            26634bf76406802662cdee3c59f2a32f

            SHA1

            3bb87782a939b7338bb29916091adeebf2852165

            SHA256

            f5b846874cd37d3bdfac86bc889209ef0ea2b5277ef622019feee955f093065c

            SHA512

            3ca6ac4e5794be9423d82e0474c5c75abbfaf84b7eb0918aa9f38e130b9489ea66b05e0dc76e6c5ed0fbb17f5356bdd27ee5d752d4ac7c8658f2cfe7b44b3a0f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\ResetScale.ps1
            Filesize

            463B

            MD5

            03ec52c74847ffa409903bd3db885663

            SHA1

            c4c5b6a497f7e6c16962d0dccc53b3c06dbee210

            SHA256

            c433b19dc2ed05f37ea9b310a23593aa57d8c6c36b1526f06b037e94c658667c

            SHA512

            1d2fb42f3a43563e4fcbc44065315c8c81f5c0ac3f1516f8910ec44820f779979e5d0ff726bb9c1f02e7342a1098ea26ea04318e90b212d1b4cfa20f2d28d3bd

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pah24me.1q0.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\p2a3iivy\p2a3iivy.dll
            Filesize

            3KB

            MD5

            f9397b7ec70f3b578b63530d93fc5a5c

            SHA1

            08c8e271cd539af66e66c0ae07958befe399c15c

            SHA256

            9071ec87839795d9e248a50420ecedae54faf0f1d025b44ed59d9289fb99e83a

            SHA512

            b45bb16659119b4c945dccc491b36dc9a9681acd0b7478e70dd282c481115d8ef587b0ba707bec0a61771619dfd6f59eb000705325fa18db1c2f6e26d7182d47

            Download Submit
          • C:\Users\Admin\Downloads\XHVNC-Client.exe
            Filesize

            61KB

            MD5

            d88042cd7bcf5cfc1c5a6f3824607c10

            SHA1

            da7029e4e9a43453c72f2b20c88d458db661ce1e

            SHA256

            3aa99e46834bf05a9952cab4a2ffbea7031362bac9224876fbdb111f3cfb75be

            SHA512

            005ac0ff03ef535939144e8a2d25c6d407127ece3210d3972753da08084fd420790180bad9fb38cfc738cd9c0ac53f4ae86048f39532986d31ad0d2de8adb1e7

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\p2a3iivy\CSC20C000A388D405EB8763A7EFCFF3EDC.TMP
            Filesize

            652B

            MD5

            ecc803745b5379a63148ed3dae1a5857

            SHA1

            028a59d95f8ee605db1e8e0d5755bfe6b30b64e8

            SHA256

            3f769b5909255c009ccd9688bd536fb12a2d0232bbe0171f9e4239f9c3fabf97

            SHA512

            20160db05a654e68a346b54aaa6aef1a1d02a939990a433597957c5b691e8f07555452765657e6b4f25af63747e199ff417991bd3d4623642ef960eb328f02ff

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\p2a3iivy\p2a3iivy.0.cs
            Filesize

            380B

            MD5

            16ec6a1216a8b82d7bc3d0b0b4847f1d

            SHA1

            874a97587db13e8d55bdfcc5ef69681c759549ca

            SHA256

            0717362217b55ae4b8ed86790fcae2997f7dcb9d931e687566960b54297adf1e

            SHA512

            234e9052025e789468b08ed3c01d164afc6be21f9fb6c4fdf759fda611b5ed02a16d01dfbd0213eeca63492abd3e945704d50264f04538694487cd2b5dd121b6

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\p2a3iivy\p2a3iivy.cmdline
            Filesize

            369B

            MD5

            3c30ac6a11bc2c475d452d7be9fe02d5

            SHA1

            d1c1a811bd7c34493631793c9ff39a2e7a2b06dd

            SHA256

            f738d9f47b4d89eae059495e56153189d23822d73392a9a98cda09e4fb32ef15

            SHA512

            8876da58a9e7a38c3a9bd6b9338826d9e57381669823f48b7a6eee80be06e008df6be4ccfdb10c3aa80dbf1228af0a739c4633bd6074624fde67cfda2430b753

            Download Submit
          • memory/1168-34-0x0000000003140000-0x0000000003141000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1548-51-0x000001CE6A990000-0x000001CE6A9B0000-memory.dmp
            Filesize

            128KB

            Download
          • memory/1548-62-0x000001CE6ADA0000-0x000001CE6ADC0000-memory.dmp
            Filesize

            128KB

            Download
          • memory/1548-40-0x000001CE6A9D0000-0x000001CE6A9F0000-memory.dmp
            Filesize

            128KB

            Download
          • memory/1548-36-0x000001C668840000-0x000001C668940000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1548-35-0x000001C668840000-0x000001C668940000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1968-31-0x0000000000400000-0x0000000000416000-memory.dmp
            Filesize

            88KB

            Download
          • memory/3448-235-0x0000000004F90000-0x0000000004FB2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/3448-233-0x00000000029A0000-0x00000000029D6000-memory.dmp
            Filesize

            216KB

            Download
          • memory/3448-264-0x0000000006550000-0x0000000006558000-memory.dmp
            Filesize

            32KB

            Download
          • memory/3448-251-0x00000000064D0000-0x00000000064EA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/3448-250-0x00000000078D0000-0x0000000007F4A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/3448-248-0x0000000005F90000-0x0000000005FDC000-memory.dmp
            Filesize

            304KB

            Download
          • memory/3448-247-0x0000000005F50000-0x0000000005F6E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/3448-246-0x0000000005970000-0x0000000005CC4000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/3448-236-0x0000000005890000-0x00000000058F6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3448-234-0x0000000005030000-0x0000000005658000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/4008-30-0x0000000000D90000-0x0000000000DA6000-memory.dmp
            Filesize

            88KB

            Download
          • memory/4008-29-0x00007FFE74063000-0x00007FFE74065000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4956-20-0x0000000074F5E000-0x0000000074F5F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4956-21-0x0000000074F50000-0x0000000075700000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4956-16-0x0000000073960000-0x00000000739E9000-memory.dmp
            Filesize

            548KB

            Download
          • memory/4956-17-0x0000000074F50000-0x0000000075700000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4956-0-0x0000000074F5E000-0x0000000074F5F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4956-18-0x0000000074F50000-0x0000000075700000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4956-8-0x0000000006C80000-0x0000000006EA4000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/4956-19-0x0000000074F50000-0x0000000075700000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4956-25-0x0000000001840000-0x0000000001960000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/4956-231-0x0000000007DC0000-0x0000000007DD4000-memory.dmp
            Filesize

            80KB

            Download
          • memory/4956-7-0x00000000068A0000-0x00000000068AA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4956-22-0x0000000074F50000-0x0000000075700000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4956-23-0x0000000074F50000-0x0000000075700000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4956-6-0x0000000074F50000-0x0000000075700000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4956-5-0x0000000005AF0000-0x0000000005B56000-memory.dmp
            Filesize

            408KB

            Download
          • memory/4956-4-0x0000000005A50000-0x0000000005AEC000-memory.dmp
            Filesize

            624KB

            Download
          • memory/4956-3-0x00000000059B0000-0x0000000005A42000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4956-2-0x0000000005EC0000-0x0000000006464000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/4956-24-0x0000000074F50000-0x0000000075700000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4956-1-0x0000000000DB0000-0x0000000000F9A000-memory.dmp
            Filesize

            1.9MB

            Download