0825899886cc4c0f9ed52bdb0093f2ccbb7089c235f3c8a31dfcea150d680df0

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe
Size

52KB
MD5

39322fe542daa2882e06670ab868ef57
SHA1

976d3e4e82030a43e5340fae59c24cf858f5e5d4
SHA256

0825899886cc4c0f9ed52bdb0093f2ccbb7089c235f3c8a31dfcea150d680df0
SHA512

303dd5058680dde50b49e3327330c8071b5d1ef6f643abf74df1bb4ae70d0989264e03696c31e90d123e53222db2ef2077a1204ab590eb54b750256341d5831d
SSDEEP

768:hqbr9qIkRDzm5huP/VO56CXlMhnaT37ahzc+RfG9TkbiFW89PQdLchy:hqsRD658VO5PV0ajGh4gG9TCiT++y

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\aec.SYS	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\AsyncMac.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	smses.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\ccSvcHst.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrUpdateexe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\RavMon.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\kmailmon.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\bdagent.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Rav.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC3.exe\MPSVC3.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe\mcmscsvc.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uplive.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\safeboxTray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\RavTask.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe\mfevtps.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe\SHSTAT.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\mcshield.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe\mcupdmgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe\FrameworkService.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC3.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\mcshell.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\vsserv.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\avp.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe\ccSetMgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe\mcnasvc.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe\QQDoctorRtp.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe\rsnetsvr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\360tray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\KVSrvXP.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\RsTray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe\ccEvtMgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vstskmgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe\mcinsupd.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe\KAVStart.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrUpdateexe\DrUpdateexe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\QQDoctor.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\McProxy.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\livesrv.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\RavMonD.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe\naPrdMgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe\rtvscan.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\ccapp.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe\xcommsvr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
3176	smses.exe
2440	svchos.exe
4384	update~.exe

Loads dropped DLL 1 IoCs

pid	Process
4648	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RsTray = "C:\\Windows\\system32\\scvhost.exe"	update~.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killdll.dll	smses.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\update~.exe	smses.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	rundll32.exe
Token: SeDebugPrivilege	4384	update~.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 3176	708	39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe	83
PID 708 wrote to memory of 3176	708	39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe	83
PID 708 wrote to memory of 3176	708	39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe	83
PID 708 wrote to memory of 2440	708	39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe	84
PID 708 wrote to memory of 2440	708	39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe	84
PID 708 wrote to memory of 2440	708	39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe	84
PID 3176 wrote to memory of 4648	3176	smses.exe	87
PID 3176 wrote to memory of 4648	3176	smses.exe	87
PID 3176 wrote to memory of 4648	3176	smses.exe	87
PID 3176 wrote to memory of 4384	3176	smses.exe	89
PID 3176 wrote to memory of 4384	3176	smses.exe	89
PID 3176 wrote to memory of 4384	3176	smses.exe	89
PID 4384 wrote to memory of 5056	4384	update~.exe	90
PID 4384 wrote to memory of 5056	4384	update~.exe	90
PID 4384 wrote to memory of 5056	4384	update~.exe	90
PID 4384 wrote to memory of 1928	4384	update~.exe	91
PID 4384 wrote to memory of 1928	4384	update~.exe	91
PID 4384 wrote to memory of 1928	4384	update~.exe	91
PID 1928 wrote to memory of 1556	1928	cmd.exe	94
PID 1928 wrote to memory of 1556	1928	cmd.exe	94
PID 1928 wrote to memory of 1556	1928	cmd.exe	94
PID 5056 wrote to memory of 4308	5056	cmd.exe	95
PID 5056 wrote to memory of 4308	5056	cmd.exe	95
PID 5056 wrote to memory of 4308	5056	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39322fe542daa2882e06670ab868ef57_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Local\Temp\smses.exe
  C:\Users\Admin\AppData\Local\Temp\smses.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\killdll.dll killall
    3⤵
    - Drops file in Drivers directory
    - Event Triggered Execution: Image File Execution Options Injection
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- - C:\Windows\update~.exe
    C:\Windows\update~.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls C:\Windows\system32 /e /p everyone:f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls C:\Windows\system32 /e /p everyone:f
        5⤵
        
        PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
        5⤵
        
        PID:1556
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\svchos.exe
  2⤵
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\smses.exe

Filesize
34KB

MD5
226b8a18ff518973632165d853a373cf

SHA1
d53956b870875d8a52128ef826619828235ee00e

SHA256
698d46288045a83565a62d0e9c154e0b3d83bb9ef8265eec8b2edd7a9ab3cacd

SHA512
aa43b22798677b8a7d2ff4e6b3ec098e2083d28f18853bc3a20c41a24e4ccd1da04c49c5a06d239118cf7085e60f2589da4ac68402ddc269f06c89e4e11fe247

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
1KB

MD5
10d5b09923da055a2bdecf0b7ef6d007

SHA1
d08e09c8f189a71cd852e24ab291b5cdddff1857

SHA256
1f26b0d69112e707006dea55f04402475a9fc1abd40addb897e4d5d43b4a62a4

SHA512
89e5cd3c71a617e34f1c6478b17f9d7ed8c39d44bc69e8af645a72e9020709e99ff576fdbe8846e74bc0d2e537b6c2b89d7e4721546a3bfb50e87663ed9505dc

Download Submit
C:\Windows\SysWOW64\killdll.dll

Filesize
60KB

MD5
6e0bcbf79b97ec4ef541b65c65a56f81

SHA1
c517469611ba40da7ac4add92d2f8402511910f4

SHA256
9e11b76fbba69258985000ae680b2970ef9546bb5ef8ad23f539ee0506eb48ab

SHA512
80963177cef8c447abd2901c7c2a3adeaf005740c12d8a14c434d9d03f79f765e1289b7200eee99ebbd26ad63dbdcce348d355f56c04e8100ae86d246e7e58b8

Download Submit
C:\Windows\update~.exe

Filesize
10KB

MD5
4217e88bb4e19da45cd31e893fed3c6b

SHA1
e25f5189b4286d4ad9681978148db106b719c444

SHA256
c646a734b2802844344e2b942189bb6de3ed71ee73a73b90276e47e58fdb4cc0

SHA512
64499cd7c7422abe8dfc5cf815ab181f1ca86f0c322bb0a78f50893c2b78a48d9e82ae9163c160861953975a7fa112788991db4f24b3383d978821e144be10ac

Download Submit
memory/708-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2440-9-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3176-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3176-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download