6c60b3c7f78328a56feda777b42491357ecc3c867c5decaee091df9e5238fb7f

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe
Size

473KB
MD5

87bc1902b89ac09e8904fb77f997bf02
SHA1

7f193a3ca6f3e20e005d1890ccc30197ef5df1e0
SHA256

6c60b3c7f78328a56feda777b42491357ecc3c867c5decaee091df9e5238fb7f
SHA512

8fa91c61513b80fcb67ecc1640359db4c481013346f7ced0d79afa08bbd5621282f57e29fd8014e7f2f651cda68705874a2e22e9340d77bf7c77b531cb86fb8e
SSDEEP

6144:JnXOFxDkS6WtG6gGUgy9ZWHhnP9Ba5CfZomKKg7+uTAVg9EVJ0BVKvh82CYBuBNk:JRS6Wefq9Ba5oO7TUUk

Score

10^/10

discovery evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
2076	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe

Loads dropped DLL 2 IoCs

pid	Process
2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe
2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2672	powershell.exe
2256	powershell.exe
2976	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1476	sc.exe
1732	sc.exe
2408	sc.exe
2684	sc.exe
2836	sc.exe
328	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80fa562c6cebda01	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2256	powershell.exe
2976	powershell.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeTcbPrivilege	2076	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1964	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	31
PID 2436 wrote to memory of 1964	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	31
PID 2436 wrote to memory of 1964	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	31
PID 2436 wrote to memory of 1964	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	31
PID 2436 wrote to memory of 2056	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	32
PID 2436 wrote to memory of 2056	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	32
PID 2436 wrote to memory of 2056	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	32
PID 2436 wrote to memory of 2056	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	32
PID 2436 wrote to memory of 2116	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	35
PID 2436 wrote to memory of 2116	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	35
PID 2436 wrote to memory of 2116	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	35
PID 2436 wrote to memory of 2116	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	35
PID 1964 wrote to memory of 1732	1964	cmd.exe	37
PID 1964 wrote to memory of 1732	1964	cmd.exe	37
PID 1964 wrote to memory of 1732	1964	cmd.exe	37
PID 2116 wrote to memory of 2256	2116	cmd.exe	38
PID 2116 wrote to memory of 2256	2116	cmd.exe	38
PID 2116 wrote to memory of 2256	2116	cmd.exe	38
PID 2056 wrote to memory of 2408	2056	cmd.exe	39
PID 2056 wrote to memory of 2408	2056	cmd.exe	39
PID 2056 wrote to memory of 2408	2056	cmd.exe	39
PID 2436 wrote to memory of 2756	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	40
PID 2436 wrote to memory of 2756	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	40
PID 2436 wrote to memory of 2756	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	40
PID 2436 wrote to memory of 2756	2436	87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe	40
PID 2756 wrote to memory of 2796	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	41
PID 2756 wrote to memory of 2796	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	41
PID 2756 wrote to memory of 2796	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	41
PID 2756 wrote to memory of 2796	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	41
PID 2756 wrote to memory of 2496	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	43
PID 2756 wrote to memory of 2496	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	43
PID 2756 wrote to memory of 2496	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	43
PID 2756 wrote to memory of 2496	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	43
PID 2756 wrote to memory of 2864	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	45
PID 2756 wrote to memory of 2864	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	45
PID 2756 wrote to memory of 2864	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	45
PID 2756 wrote to memory of 2864	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	45
PID 2796 wrote to memory of 2684	2796	cmd.exe	47
PID 2796 wrote to memory of 2684	2796	cmd.exe	47
PID 2796 wrote to memory of 2684	2796	cmd.exe	47
PID 2496 wrote to memory of 2836	2496	cmd.exe	48
PID 2496 wrote to memory of 2836	2496	cmd.exe	48
PID 2496 wrote to memory of 2836	2496	cmd.exe	48
PID 2864 wrote to memory of 2976	2864	cmd.exe	49
PID 2864 wrote to memory of 2976	2864	cmd.exe	49
PID 2864 wrote to memory of 2976	2864	cmd.exe	49
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50
PID 2756 wrote to memory of 800	2756	98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87bc1902b89ac09e8904fb77f997bf02_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Users\Admin\AppData\Roaming\wnetwork\98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\wnetwork\98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2684
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:2836
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:800

C:\Windows\system32\taskeng.exe
taskeng.exe {F05D2B3E-38A7-4196-A75D-7FC41EEE5A66} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2324
- C:\Users\Admin\AppData\Roaming\wnetwork\98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\wnetwork\98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    PID:2840
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
    3⤵
    PID:624
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:1476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    PID:2736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2672
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d

Filesize
1KB

MD5
705a3f2064d0d15345f56ad2574587c5

SHA1
013009a24418b9b5cdc978a6565ccf0df3e5c3cb

SHA256
d50a1f330a4ed7ca0dcc51ae3ce56d4cfc6bb471f7e89d5dd95ad12e0738db05

SHA512
3d922cf162fc39f3b15799209abe65d420ed9d01d7438398e91f2b5e1f72c190bdd7a0aae67dc53eadd7c0a10d0eb63e55a18dd84b8360703a6c566b89bf84c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f71a052018a299948cade983f65922b6

SHA1
e70d2f72553513330905d47903043ad401b4d325

SHA256
8160f09abeb69b34ea158b917b845ff07872d6561cbe8085acf9cccb9e115ff2

SHA512
79afbac70510c96872dfbd66b1719fa91e877ac894cf7137d4af790ecd802e5bf2aedf228c91f16c8951f1c93472ce2530cac77b3a350d47a3a4645277e0355f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\67GSDCFK92SJ8CXGO4PB.temp

Filesize
7KB

MD5
344a7e83dd106b649323f74c7fb9a91a

SHA1
a6ff8087b57372ea18ddbbdc5814a504d69c5b25

SHA256
02b9a7fbfe15244bd496fa0544ef60df952db2fc832034ff490de9be433ed7da

SHA512
e66f0e11c2ad172429b408d6480490e2d99e1d212ba5c9b6fc54993a2a368b33191eaa2f783fc0fccb7fb62537b01130884eac344e2056158568848da9cc9f32

Download Submit
\Users\Admin\AppData\Roaming\wnetwork\98bc1902b99ac09e9905fb88f998bf02_KaffaDalet119.exe

Filesize
473KB

MD5
87bc1902b89ac09e8904fb77f997bf02

SHA1
7f193a3ca6f3e20e005d1890ccc30197ef5df1e0

SHA256
6c60b3c7f78328a56feda777b42491357ecc3c867c5decaee091df9e5238fb7f

SHA512
8fa91c61513b80fcb67ecc1640359db4c481013346f7ced0d79afa08bbd5621282f57e29fd8014e7f2f651cda68705874a2e22e9340d77bf7c77b531cb86fb8e

Download Submit
memory/800-32-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2076-52-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2076-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2256-5-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2256-4-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2436-16-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2436-7-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2672-39-0x0000000019FF0000-0x000000001A2D2000-memory.dmp

Filesize
2.9MB

Download
memory/2672-40-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2756-26-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2756-28-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2756-36-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2976-23-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2976-22-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download