0e9ce795d42d12df970d95fa6bfe8cbff9c68eb92c450f1f0379a06f43abb85a

Analysis

max time kernel
141s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe
Size

1.0MB
MD5

7666f9c021a008dbc0d87c02f4f18b7f
SHA1

7d9bedde73435791583532bd320648fe3520702a
SHA256

0e9ce795d42d12df970d95fa6bfe8cbff9c68eb92c450f1f0379a06f43abb85a
SHA512

4e23d133bc074608efa8706066333ae38c741aa0daab75d8dc14dad0c15b2d18b468bd2e7b7f023fb8acad9a498eb0eaffe858b843b259f22d6b31c102edc733
SSDEEP

24576:f207lu60YcqfAo7xIqF48v11BarajPjAdyhOFzH4UZXgXC75ld1qSVpcqg:f2+03qfAoNzC+11kOjPjAdyhGzfd1qay

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetHomeIDE\Parameters\ServiceDll = "C:\\Windows\\system32\\idecomp.dll"	rundll32.exe

Executes dropped EXE 7 IoCs

pid	Process
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2900	msfsg.exe
2768	msfsg.exe
2724	msfsg.exe
2556	msfsg.exe
2588	msfsg.exe
2984	dsetup.exe

Loads dropped DLL 19 IoCs

pid	Process
1848	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
2984	dsetup.exe
2984	dsetup.exe
2984	dsetup.exe
928	rundll32.exe
928	rundll32.exe
928	rundll32.exe
928	rundll32.exe
1616	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hardpol\MyIEData\main.ini	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\idecomp.dll	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File opened for modification	C:\Windows\SysWOW64\idecomp.dll	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\baidu\is-9J7OH.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-CBLJA.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-8KP1E.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\baidu\dsetup.exe	msfsg.exe
File opened for modification	C:\Program Files (x86)\baidu\spass.dll	msfsg.exe
File created	C:\Program Files (x86)\baidu\is-HIKPS.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\baidu\newnetgar.dll	msfsg.exe
File created	C:\Program Files (x86)\baidu\is-9NICB.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-36T1S.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\baidu\passthru.dll	msfsg.exe
File opened for modification	C:\Program Files (x86)\baidu\sumpod-nos.sys	msfsg.exe
File created	C:\Program Files (x86)\baidu\is-3IE1C.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-AB3F1.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-4KK2Q.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-3FOGS.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
928	rundll32.exe
928	rundll32.exe
928	rundll32.exe
928	rundll32.exe
1616	svchost.exe
1616	svchost.exe
1616	svchost.exe
1616	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	rundll32.exe
Token: SeDebugPrivilege	1616	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2900	msfsg.exe
2768	msfsg.exe
2724	msfsg.exe
2556	msfsg.exe
2588	msfsg.exe
2984	dsetup.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2308	1848	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2308	1848	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2308	1848	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2308	1848	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2308	1848	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2308	1848	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2308	1848	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	30
PID 2308 wrote to memory of 2900	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	31
PID 2308 wrote to memory of 2900	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	31
PID 2308 wrote to memory of 2900	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	31
PID 2308 wrote to memory of 2900	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	31
PID 2308 wrote to memory of 2768	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	32
PID 2308 wrote to memory of 2768	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	32
PID 2308 wrote to memory of 2768	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	32
PID 2308 wrote to memory of 2768	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	32
PID 2308 wrote to memory of 2724	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	33
PID 2308 wrote to memory of 2724	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	33
PID 2308 wrote to memory of 2724	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	33
PID 2308 wrote to memory of 2724	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	33
PID 2308 wrote to memory of 2556	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	34
PID 2308 wrote to memory of 2556	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	34
PID 2308 wrote to memory of 2556	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	34
PID 2308 wrote to memory of 2556	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	34
PID 2308 wrote to memory of 2588	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	35
PID 2308 wrote to memory of 2588	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	35
PID 2308 wrote to memory of 2588	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	35
PID 2308 wrote to memory of 2588	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	35
PID 2308 wrote to memory of 2984	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	36
PID 2308 wrote to memory of 2984	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	36
PID 2308 wrote to memory of 2984	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	36
PID 2308 wrote to memory of 2984	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	36
PID 2308 wrote to memory of 2984	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	36
PID 2308 wrote to memory of 2984	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	36
PID 2308 wrote to memory of 2984	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	36
PID 2308 wrote to memory of 928	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	37
PID 2308 wrote to memory of 928	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	37
PID 2308 wrote to memory of 928	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	37
PID 2308 wrote to memory of 928	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	37
PID 2308 wrote to memory of 928	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	37
PID 2308 wrote to memory of 928	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	37
PID 2308 wrote to memory of 928	2308	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	37

C:\Users\Admin\AppData\Local\Temp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\is-CC6HK.tmp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CC6HK.tmp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp" /SL5="$B0152,822235,54272,C:\Users\Admin\AppData\Local\Temp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s passthru.dll -d passthru.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2900
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s dsetup.exe -d dsetup.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2768
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s spass.dll -d spass.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2724
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s newnetgar.dll -d newnetgar.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2556
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s sumpod-nos.sys -d sumpod-nos.sys
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2588
- - C:\Program Files (x86)\baidu\dsetup.exe
    "C:\Program Files (x86)\baidu\dsetup.exe" install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2984
- - C:\Windows\SysWOW64\rundll32.exe
    "rundll32.exe" C:\Windows\system32\idecomp.dll RundllInstall NetHomeIDE
    3⤵
    - Server Software Component: Terminal Services DLL
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k mysysgroup3
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\baidu\dsetup.exe

Filesize
324KB

MD5
90077a6410077cdf6c9d0300ac62df78

SHA1
71f565f3e96af51578c01b57887c702b0601784b

SHA256
80e5514f861ac107ac0a17968b13e477570ecac501c1106791b88c5d59b740ef

SHA512
1bf13b2043145ad0f5ad7b540cfb4ca5c1619f649abc2d7199a84c2ff4748bb5fb3207f6cc18e2245dd0693e8523629ce8581f856c2198a5c7271ce3f87df7f6

Download Submit
C:\Program Files (x86)\baidu\newnetgar.dll

Filesize
308KB

MD5
91d569f94b255773cfb9552741f58332

SHA1
0afe488b4e9305d68cac09f062e29c2d4b0b4b7c

SHA256
b06bcca689a418a3f3a0ade4ae259c96aab6196578b47b2f49903504b75f04c1

SHA512
9e8dc300e0f065a6ad79748b91f306bbd471ecf77f91c8d5c9f1b9c889cda1e8049662d00585668a8a8331fd0ce24dc3fd75e06345dcbee18aa627cddca1e17d

Download Submit
C:\Program Files (x86)\baidu\newnetgar.dll

Filesize
308KB

MD5
ff6047777db7a2b9d2764afd03a73477

SHA1
1a7b3dd22fc7fe2f544aaa3a2369f296925d0646

SHA256
15a27c4cc04b75050e354766de0d3a91b96df563b17517dfa1c282662237d24a

SHA512
f888e767ffcd55a44a9db183f3acc17672b6784f0b427e365c09b53155f6ab473a2fc7eb8f3e1d1e3f61e4d4262388fbf0d43d5dab7a12d2d45202eb2aed50d3

Download Submit
C:\Program Files (x86)\baidu\passthru.dll

Filesize
35KB

MD5
83ff8f2e074c2cd6b3cb5e17e9c0e9a7

SHA1
22b6072f9078d259b77e4d41bf76919c4950ccc2

SHA256
c3197e92ccd39cd57a82e7163db93c0a825d51a57c8eb3d25de402a6f537f934

SHA512
35879938df4e0f5436ee0db4e168388f468e37e5d06e25523ed5b5624d4c84c103cf45a9b76176a8e2edbf102ec7f249506a771650f3659a54b78b5b35fe3261

Download Submit
C:\Program Files (x86)\baidu\sumpod-nos.sys

Filesize
13KB

MD5
a3306e1a9669b03c7a76eca3d46f7fbe

SHA1
04484df2413b3a53cd79aa5bad1dd5943435f4aa

SHA256
b9db291729bc5df6eff7e764144ab15a650aaaccc7e21ff6816f773bd57d6787

SHA512
b2428f92f167d08614d2cd5f9807bfccd2cc1c179b6a3df757c65a7e2415a2c0c98be9c687c2c9dd31f569fbe73b3da4d11d5447176ad141c5eddf7054649459

Download Submit
\Program Files (x86)\baidu\msfsg.exe

Filesize
360KB

MD5
31868e5353152084bc594cee28afbf9a

SHA1
3757d11f82d52b5c085049d2ea7fb4cd6d444c1f

SHA256
e8fd382f2d01922d443eb9057f9dcc786143ec399850366f0024a7a3d9f7156b

SHA512
1a871d4f2f7272629d66c456a2a6ef0de4d005759dfb69a8df958dea20bb646d5ddc3845e9374b3dc6780b9a9bdb021440efc465e1e269d83a1cb9ed1e38a57b

Download Submit
\Users\Admin\AppData\Local\Temp\is-B351C.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-B351C.tmp\spass.dll

Filesize
652KB

MD5
edbbbdd96ba8834b70348aba49d38fd9

SHA1
85b287e3b6da7aa143e5f1c02b460e4afcb13679

SHA256
14c6b08ef37b2391075fb3686f5d22a447f7d1e61e5224a9ac7c2dd07182f336

SHA512
d11dc804e78f7562448c1d728ce2e07ebc5dd2b4d72f2d49886d1199dad0c23914ad7171fc3f9f995c7310f4a4f4dfc1f28a36130902d9fb67612cacdd0e7ff8

Download Submit
\Users\Admin\AppData\Local\Temp\is-CC6HK.tmp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

Filesize
695KB

MD5
620f32e56b46e90e8aee43febc59f6e3

SHA1
d5edd63dd1390a1420b85f746e12a66625ae9354

SHA256
bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

SHA512
8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

Download Submit
memory/1848-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1848-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1848-85-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2308-11-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2308-86-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download