cf5263fde392d6f83e31d5f8c727611ac99c9c0b6a6b46e7afa024bc41b6f298

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 12:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe
Size

36KB
MD5

49c5a7fb400ff77555abe31a6488160d
SHA1

1853c695eea3878b1b4f15d3d3edd5c31e3d3167
SHA256

cf5263fde392d6f83e31d5f8c727611ac99c9c0b6a6b46e7afa024bc41b6f298
SHA512

45ffa5ab02692642986b1c1cd2c579876d5ce7aead9627bbc1bcc6ee9af81a3139c3131bcb92628ea390866ea9e66adaab9999d97a1ab327b5306834562b4651
SSDEEP

768:TYCRkQFrNS5BwnRTCRn7xqjY3mDNDyBy7Gq6rOuboGNw0Peoox:TYLQ3MBwRK8jbyBvsmWx

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\aec.SYS	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\AsyncMac.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\egui.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC3.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\mcshield.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\avp.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe\360Safebox.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\RsTray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\livesrv.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\ccSvcHst.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\safeboxTray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\mfeann.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe\rtvscan.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udaterui.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\ScanFrm.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\360tray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe\engineserver.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\KPFW32.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\KVSrvXP.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\vsserv.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\RavStub.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe\defwatch.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vstskmgr.exe\vstskmgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe\antiarp.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe\xcommsvr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\mcshell.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe\mcinsupd.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udaterui.exe\udaterui.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe\naPrdMgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe\mcnasvc.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe\KavStart.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\bdagent.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1048	update~.exe

Loads dropped DLL 1 IoCs

pid	Process
4836	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a360 = "C:\\Windows\\system32\\scvhost.exe"	update~.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killdll.dll	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1272	2368	WerFault.exe	83
2004	2368	WerFault.exe	83
5112	2368	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4836	rundll32.exe
4836	rundll32.exe
4836	rundll32.exe
4836	rundll32.exe
4836	rundll32.exe
4836	rundll32.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
644	Process not Found
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	rundll32.exe
Token: SeDebugPrivilege	1048	update~.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4836	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	86
PID 2368 wrote to memory of 4836	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	86
PID 2368 wrote to memory of 4836	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	86
PID 2368 wrote to memory of 1048	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	87
PID 2368 wrote to memory of 1048	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	87
PID 2368 wrote to memory of 1048	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	87
PID 1048 wrote to memory of 2504	1048	update~.exe	88
PID 1048 wrote to memory of 2504	1048	update~.exe	88
PID 1048 wrote to memory of 2504	1048	update~.exe	88
PID 1048 wrote to memory of 2860	1048	update~.exe	89
PID 1048 wrote to memory of 2860	1048	update~.exe	89
PID 1048 wrote to memory of 2860	1048	update~.exe	89
PID 2504 wrote to memory of 3680	2504	cmd.exe	92
PID 2504 wrote to memory of 3680	2504	cmd.exe	92
PID 2504 wrote to memory of 3680	2504	cmd.exe	92
PID 2860 wrote to memory of 3824	2860	cmd.exe	93
PID 2860 wrote to memory of 3824	2860	cmd.exe	93
PID 2860 wrote to memory of 3824	2860	cmd.exe	93
PID 2368 wrote to memory of 1388	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	94
PID 2368 wrote to memory of 1388	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	94
PID 2368 wrote to memory of 1388	2368	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\killdll.dll killall
  2⤵
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\update~.exe
  C:\Users\Admin\AppData\Local\Temp\update~.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\system32 /e /p everyone:f
      4⤵
      PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_uok.bat
  2⤵
  PID:1388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 348
  2⤵
  - Program crash
  PID:1272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 348
  2⤵
  - Program crash
  PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 340
  2⤵
  - Program crash
  PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2368 -ip 2368
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2368 -ip 2368
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2368 -ip 2368
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uok.bat

Filesize
224B

MD5
94266f71b25115b4ff760d65fe97317b

SHA1
c93ec97ac280e6fb9ec0461f2a6df4511e0ad257

SHA256
aa585e011694563b95f2fec9c76f56bf4c9498e08c93203360acbbd78bde5ca7

SHA512
d719045b2173ad4dac382b702bc517ea2e0eb151b11ffe4106bccf58379717e10f530cf2f2607fd27ae7051e5c9362a150bfcab32a4f3dd03505f61bfd537923

Download Submit
C:\Users\Admin\AppData\Local\Temp\update~.exe

Filesize
9KB

MD5
1e01566b55739bbc91befa73dee5827b

SHA1
52f1959305352fb9a7ccddb0261ea0e69f8c0629

SHA256
99be705551bb1eea39ff313d8e8b6b35489dbf93b409d3110bf2c6460c01eccc

SHA512
9ac5c002a781e64e5ce5caae8b523af1c9c7f513fc478b37b9df87a83e228761ae1b2c774c61b0c4deacbae669f0d2001a57a748564b1c98d3d31eedcb916fa3

Download Submit
C:\Windows\SysWOW64\killdll.dll

Filesize
56KB

MD5
622c82fe356f19b2800e51db3490d8d5

SHA1
eb62a2e329668c6bf70efaa0647f1bf683a7311a

SHA256
4d79c7d5ec4030e60fab6a5001b79bf71bd73bf08223c4a1875b990a2fe3cd81

SHA512
3384d19790e0680570c33ad8bede977c6466e3b14e40ec603efe2063d51e206f5327be9a692c3d0a4ba1b2f5e8f9ac4ec390fefbed709d1239aa17bcb93c97c8

Download Submit
memory/2368-0-0x0000000004000000-0x0000000004028000-memory.dmp

Filesize
160KB

Download
memory/2368-16-0x0000000004000000-0x0000000004028000-memory.dmp

Filesize
160KB

Download