Overview

overview

10

Static

static

3

2da4b345e4...18.exe

windows7-x64

10

2da4b345e4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240708-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2da4b345e4cea3d8fd7bc4bea459c32f_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    2da4b345e4cea3d8fd7bc4bea459c32f

  • SHA1

    7af114973b76cda6653e59d499bac886e0fbb3c2

  • SHA256

    8c00b0ea5dbee65515247a21d73b2421a969d92881239b599de54d1f6bf47a6c

  • SHA512

    f487d594bb965b9feece00753b7733492e4b681ffa9f561451b87b4468f488a488d63353f2e6dc824beaab2fdce7fda58133def63c53772a381463da663d0ea0

  • SSDEEP

    12288:KDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:KEEZBV5jCoFvZsSWG2BdN+w2+O

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2da4b345e4cea3d8fd7bc4bea459c32f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2da4b345e4cea3d8fd7bc4bea459c32f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\j29oAE.exe
      C:\Users\Admin\j29oAE.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\xuaevuz.exe
        "C:\Users\Admin\xuaevuz.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:64
    • C:\Users\Admin\2men.exe
      C:\Users\Admin\2men.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2676
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3948
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4200
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4184
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        PID:1688
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 80
          4⤵
          • Program crash
          PID:572
    • C:\Users\Admin\3men.exe
      C:\Users\Admin\3men.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3308
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\7A889\135E3.exe%C:\Users\Admin\AppData\Roaming\7A889
        3⤵
        • Executes dropped EXE
        PID:4340
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Program Files (x86)\89A33\lvvm.exe%C:\Program Files (x86)\89A33
        3⤵
        • Executes dropped EXE
        PID:1552
      • C:\Program Files (x86)\LP\E337\8661.tmp
        "C:\Program Files (x86)\LP\E337\8661.tmp"
        3⤵
        • Executes dropped EXE
        PID:4332
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del 2da4b345e4cea3d8fd7bc4bea459c32f_JaffaCakes118.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1688 -ip 1688
    1⤵
      PID:4988
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4300
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:960
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4652
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1696
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4424
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4932
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2912
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4840
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2060

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    6
    T1112

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Peripheral Device Discovery

    3
    T1120

    Process Discovery

    1
    T1057

    Query Registry

    5
    T1012

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\LP\E337\8661.tmp
      Filesize

      96KB

      MD5

      6b9ed8570a1857126c8bf99e0663926c

      SHA1

      94e08d8a0be09be35f37a9b17ec2130febfa2074

      SHA256

      888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d

      SHA512

      23211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880

      Download Submit

    • C:\Users\Admin\2men.exe
      Filesize

      132KB

      MD5

      945a713b037b50442ec5d18d3dc0d55e

      SHA1

      2c8881b327a79fafcce27479b78f05487d93c802

      SHA256

      2da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f

      SHA512

      0eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385

      Download Submit

    • C:\Users\Admin\3men.exe
      Filesize

      271KB

      MD5

      0d668203e24463de2bf228f00443b7bc

      SHA1

      eacff981d71f6648f6315e508bfd75e11683dba8

      SHA256

      509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc

      SHA512

      3251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
      Filesize

      2KB

      MD5

      e777fc924231f0a2f797bfde5028af06

      SHA1

      a1314d69d8a81cc4a3ce037b2bb98768a44edadb

      SHA256

      0f5f5864f5cbcb1b49582a695feb4faf124805cf70e3837eeffea84e4ee25c84

      SHA512

      1b26cf91f1fee61eb2e75d7fe32723184f6ab64e63fd9a995e46e62c0fdf9c9530fe4eb87d3fc9a9449c85f8eb9d938fe84ef7a59287b0bd9587fb7ec74110cb

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133649687358329936.txt
      Filesize

      74KB

      MD5

      df56fdd8a8916339bd7a2f79712a0552

      SHA1

      dedc8e77691bf5f512de561712adc1ea08adde5e

      SHA256

      9f9779cf5a2f530255842912b09fe155d78c545664af01b1be5d1732a5d93add

      SHA512

      1530791379813e9331161b8a3e127c4b131632704c4a73ecd5ab4ba506c5e995576ba463687ebe7761ef5e22ef0862056e45445077be3090c88a7ae66c4f3af1

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\US14V1L9\microsoft.windows[1].xml
      Filesize

      97B

      MD5

      47d220fd932eef798fb8b1cae8d072ed

      SHA1

      4ebb9bc5a78879d2f5336da931c6c862096e513c

      SHA256

      b369810963fb6aa395d4c176f746f2aa2ca16b1dc56a04ee021e76cdd9603971

      SHA512

      a23a44778d5f04871321b093339607a124d611c73bd9432790231ee5dac8442b9f3cce297f6816110c9edeb35812cc588752013209e95765abfaff8648247d83

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7A889\9A33.A88
      Filesize

      600B

      MD5

      6ee865c26636d5f24f9e6c2a1bc3e0c0

      SHA1

      72da9d847c4c32d8831be703fe4d7315d1f089b2

      SHA256

      14965aed0e6e0da4abec9424843690e006dc2c736207d6654ef017528d86cd16

      SHA512

      4f5d543f0d3c6dbac8008a47da5b1c8b383423a32f111efd4d2e84562a78159d6cd62772967bac20a5f607ac97e48aa9e5ceceb6819b82b271ca3f599e20f4a0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7A889\9A33.A88
      Filesize

      1KB

      MD5

      1ea0f037ab507372a19f6f33ccb31d92

      SHA1

      861cc4f13a3a87917588ea133a2e35304a5f407c

      SHA256

      60fb7a7c801e638e356a6d2ea5cadd21240d05c103b3c085197aee25ea9bc51b

      SHA512

      968fd6ce44b41935df241965ba5e4139becd74d8008ad868eb83f080846cebcc82bc67c89c3ca74981c75ddf6de82297011d85512604bf1db596b090e0ff863f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7A889\9A33.A88
      Filesize

      1KB

      MD5

      9e7f00a259f82d566a2c3b7c20bd4487

      SHA1

      d948479006f6b3bff5a41fd0c972675045aa618d

      SHA256

      6f48d2d856af783f1a1e579664e427604d04246187e3fe056ed85bacb701a040

      SHA512

      af19a8ea40101b930f36197d0b57cc4044ce5c403b8d2b48c18f70cb9e4ebbdb3071fc4165a7f404ba79612969bf8a895dd0c28c4d076d154a3b4b88f551bdf4

      Download Submit

    • C:\Users\Admin\j29oAE.exe
      Filesize

      176KB

      MD5

      c4a634088e095eab98183984bb7252d8

      SHA1

      c205f2c1f8040c9205c6c06accd75c0396c59781

      SHA256

      db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a

      SHA512

      b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e

      Download Submit

    • C:\Users\Admin\xuaevuz.exe
      Filesize

      176KB

      MD5

      4b3c2babbe062b97bf34e301cdce2fe0

      SHA1

      0142582df0736b6d2404982fedbc49d72ec1708c

      SHA256

      1e2b467ecfd77e82f617da2174ec2216bae7bf7c112fbdb4e41faf779e85d38a

      SHA512

      3362db721b0401cc42f9001ded5dfb3e21216f67cf263269b79ddb50831f431fcdcf4f87ab56c1abe6da7a1b2904f278a9670b318186bc01dafb80f22ba53c28

      Download Submit

    • memory/1552-202-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/1696-319-0x0000000000E90000-0x0000000000E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2060-498-0x000002307D800000-0x000002307D900000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2060-527-0x000002307ED20000-0x000002307ED40000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2060-496-0x000002307D800000-0x000002307D900000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2060-497-0x000002307D800000-0x000002307D900000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2060-513-0x000002307E920000-0x000002307E940000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2060-501-0x000002307E960000-0x000002307E980000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2676-47-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2676-76-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2676-51-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2676-49-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3308-95-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/3308-641-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/3308-200-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/3948-57-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3948-58-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3948-54-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3948-56-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4184-64-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4184-69-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4184-67-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4184-94-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4200-93-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4200-61-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4200-63-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4200-62-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4200-59-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4332-640-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4340-97-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/4932-322-0x0000023ED8000000-0x0000023ED8100000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4932-321-0x0000023ED8000000-0x0000023ED8100000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4932-326-0x0000023ED9140000-0x0000023ED9160000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4932-357-0x0000023ED9510000-0x0000023ED9530000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4932-345-0x0000023ED9100000-0x0000023ED9120000-memory.dmp

      Filesize

      128KB

      Download