trickbot | 4e69a7885e258bd850a4044aa3611565d2348046bed8b506769ab30e30aede77

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe
Size

319KB
MD5

88f333320e4662ca05ee46b7291894bd
SHA1

d2d63ce35e5349aaae1c601fedc1fd0515f2a0f3
SHA256

4e69a7885e258bd850a4044aa3611565d2348046bed8b506769ab30e30aede77
SHA512

120d1203d8f6511512f84b0ee15c033ddf94f9a89bc4a627ce0718db40ba7a310697ed0d17ae6bed1df7ee48cf7078c93fb52282dda30547a53714d163167e6e
SSDEEP

6144:PhAnu2nueyBftJumjaT9lCMplFW2B2D4YVn7fcD7wSqEJtvi:Ph7Iu/bJuFTfCsnW4QcYS1JE

Score

10^/10

trickbot lib333 banker evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000279

Botnet

lib333

195.54.163.91:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

69.57.26.30:443

149.154.71.206:443

207.140.14.141:443

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

185.251.39.106:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

91.235.128.186:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2120-1-0x00000000021B0000-0x00000000021F0000-memory.dmp	trickbot_loader32
behavioral1/memory/2640-12-0x00000000004A0000-0x00000000004E0000-memory.dmp	trickbot_loader32
behavioral1/memory/2120-24-0x0000000000400000-0x0000000000458000-memory.dmp	trickbot_loader32
behavioral1/memory/2120-25-0x00000000021B0000-0x00000000021F0000-memory.dmp	trickbot_loader32
behavioral1/memory/2640-29-0x00000000004A0000-0x00000000004E0000-memory.dmp	trickbot_loader32
behavioral1/memory/2640-28-0x0000000000400000-0x0000000000458000-memory.dmp	trickbot_loader32
behavioral1/memory/1832-44-0x0000000000400000-0x0000000000458000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe
1832	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe
2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2420	sc.exe
2688	sc.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe
2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe
2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe
2888	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeTcbPrivilege	1832	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2208	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2208	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2208	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2208	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2260	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2260	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2260	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2260	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2520	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	32
PID 2120 wrote to memory of 2520	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	32
PID 2120 wrote to memory of 2520	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	32
PID 2120 wrote to memory of 2520	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	32
PID 2120 wrote to memory of 2640	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2640	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2640	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2640	2120	88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe	34
PID 2520 wrote to memory of 2888	2520	cmd.exe	35
PID 2520 wrote to memory of 2888	2520	cmd.exe	35
PID 2520 wrote to memory of 2888	2520	cmd.exe	35
PID 2520 wrote to memory of 2888	2520	cmd.exe	35
PID 2260 wrote to memory of 2420	2260	cmd.exe	36
PID 2260 wrote to memory of 2420	2260	cmd.exe	36
PID 2260 wrote to memory of 2420	2260	cmd.exe	36
PID 2260 wrote to memory of 2420	2260	cmd.exe	36
PID 2208 wrote to memory of 2688	2208	cmd.exe	37
PID 2208 wrote to memory of 2688	2208	cmd.exe	37
PID 2208 wrote to memory of 2688	2208	cmd.exe	37
PID 2208 wrote to memory of 2688	2208	cmd.exe	37
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38
PID 2640 wrote to memory of 2868	2640	99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- C:\Users\Admin\AppData\Roaming\VsCard\99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\VsCard\99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2868

C:\Windows\system32\taskeng.exe
taskeng.exe {C1E7B783-79A5-4F78-A0A2-49688042A3D8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1312
- C:\Users\Admin\AppData\Roaming\VsCard\99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\VsCard\99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Modifies data under HKEY_USERS
    PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
1KB

MD5
e1e7fc3a58fe425b67187e4bcf17c4d9

SHA1
b4498d26186c0a2e85cdc87e26b91fc909be4f50

SHA256
be4c2031e3da6d6e59694fe655e7d449b31f1c3c8bc9866aa6ff31a816d82149

SHA512
5ec9bc8c5ca1efee2f4eeb01d0d9ab9c60681a7ba693edd8f1034d16f2cb4dd6879804c62e70d0a2316e5069f0a57f043c1dbfca883b9bab5ee73130b1d87111

Download Submit
\Users\Admin\AppData\Roaming\VsCard\99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe

Filesize
319KB

MD5
88f333320e4662ca05ee46b7291894bd

SHA1
d2d63ce35e5349aaae1c601fedc1fd0515f2a0f3

SHA256
4e69a7885e258bd850a4044aa3611565d2348046bed8b506769ab30e30aede77

SHA512
120d1203d8f6511512f84b0ee15c033ddf94f9a89bc4a627ce0718db40ba7a310697ed0d17ae6bed1df7ee48cf7078c93fb52282dda30547a53714d163167e6e

Download Submit
memory/1832-44-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2120-1-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/2120-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2120-25-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/2640-12-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2640-13-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2640-29-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2640-28-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2868-18-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/2868-17-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download