1c8950be7d83f1f3873f823ed0ba54addf10eeb6905303fec87f33e3aa8bc8d1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe
Size

20KB
MD5

eac66dbf6736f5768ed48f71da21f392
SHA1

6781ea8f567bbd7090c7251e62fb750799f39e39
SHA256

1c8950be7d83f1f3873f823ed0ba54addf10eeb6905303fec87f33e3aa8bc8d1
SHA512

d78b2472774d887c4058cda4c886f72b225a33993e8006821efd17e933a5ceb585ae2f2d5a0663f970efdc871f63ec0a132def02cb5c65917488f622812b0b7d
SSDEEP

384:ShQNm5ogigD0QKMt624t0BQKxqulLqJZfuYmcGB0T+axYC7dRt/peJXFmR:Sh3og9D0QKMtgaPIuOdUXa1pzxeJVmR

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
2148	Admin.exe
3724	Admin.exe
2904	Admin.exe
1156	Admin.exe
1332	Admin.exe
1572	Admin.exe
2020	Admin.exe
4380	Admin.exe
3108	Admin.exe
4696	Admin.exe
3208	Admin.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe /i"	Admin.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Admin.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe
2280	eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe
2148	Admin.exe
2148	Admin.exe
3724	Admin.exe
3724	Admin.exe
2904	Admin.exe
2904	Admin.exe
1156	Admin.exe
1156	Admin.exe
1332	Admin.exe
1332	Admin.exe
1572	Admin.exe
1572	Admin.exe
2020	Admin.exe
2020	Admin.exe
4380	Admin.exe
4380	Admin.exe
3108	Admin.exe
3108	Admin.exe
4696	Admin.exe
4696	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe
3208	Admin.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2552	2280	eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe	44
PID 2280 wrote to memory of 2148	2280	eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe	82
PID 2280 wrote to memory of 2148	2280	eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe	82
PID 2280 wrote to memory of 2148	2280	eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe	82
PID 2148 wrote to memory of 2560	2148	Admin.exe	45
PID 2148 wrote to memory of 3724	2148	Admin.exe	83
PID 2148 wrote to memory of 3724	2148	Admin.exe	83
PID 2148 wrote to memory of 3724	2148	Admin.exe	83
PID 3724 wrote to memory of 2744	3724	Admin.exe	48
PID 3724 wrote to memory of 2904	3724	Admin.exe	84
PID 3724 wrote to memory of 2904	3724	Admin.exe	84
PID 3724 wrote to memory of 2904	3724	Admin.exe	84
PID 2904 wrote to memory of 3652	2904	Admin.exe	57
PID 2904 wrote to memory of 1156	2904	Admin.exe	85
PID 2904 wrote to memory of 1156	2904	Admin.exe	85
PID 2904 wrote to memory of 1156	2904	Admin.exe	85
PID 1156 wrote to memory of 3864	1156	Admin.exe	58
PID 1156 wrote to memory of 1332	1156	Admin.exe	88
PID 1156 wrote to memory of 1332	1156	Admin.exe	88
PID 1156 wrote to memory of 1332	1156	Admin.exe	88
PID 1332 wrote to memory of 3952	1332	Admin.exe	59
PID 1332 wrote to memory of 1572	1332	Admin.exe	91
PID 1332 wrote to memory of 1572	1332	Admin.exe	91
PID 1332 wrote to memory of 1572	1332	Admin.exe	91
PID 1572 wrote to memory of 4016	1572	Admin.exe	60
PID 1572 wrote to memory of 2020	1572	Admin.exe	92
PID 1572 wrote to memory of 2020	1572	Admin.exe	92
PID 1572 wrote to memory of 2020	1572	Admin.exe	92
PID 2020 wrote to memory of 956	2020	Admin.exe	61
PID 2020 wrote to memory of 4380	2020	Admin.exe	93
PID 2020 wrote to memory of 4380	2020	Admin.exe	93
PID 2020 wrote to memory of 4380	2020	Admin.exe	93
PID 4380 wrote to memory of 2692	4380	Admin.exe	62
PID 4380 wrote to memory of 3108	4380	Admin.exe	95
PID 4380 wrote to memory of 3108	4380	Admin.exe	95
PID 4380 wrote to memory of 3108	4380	Admin.exe	95
PID 3108 wrote to memory of 1140	3108	Admin.exe	75
PID 3108 wrote to memory of 4696	3108	Admin.exe	96
PID 3108 wrote to memory of 4696	3108	Admin.exe	96
PID 3108 wrote to memory of 4696	3108	Admin.exe	96
PID 4696 wrote to memory of 2972	4696	Admin.exe	76
PID 4696 wrote to memory of 3208	4696	Admin.exe	97
PID 4696 wrote to memory of 3208	4696	Admin.exe	97
PID 4696 wrote to memory of 3208	4696	Admin.exe	97

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2560

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2692

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1140

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac66dbf6736f5768ed48f71da21f392_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\Admin.exe
  C:\Users\Admin\Admin.exe /r
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\Admin.exe
    C:\Users\Admin\Admin.exe /r
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Users\Admin\Admin.exe
      C:\Users\Admin\Admin.exe /r
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Users\Admin\Admin.exe
        
        C:\Users\Admin\Admin.exe /r
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Users\Admin\Admin.exe
        
        C:\Users\Admin\Admin.exe /r
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Users\Admin\Admin.exe
        
        C:\Users\Admin\Admin.exe /r
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Users\Admin\Admin.exe
        
        C:\Users\Admin\Admin.exe /r
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\Admin.exe
        
        C:\Users\Admin\Admin.exe /r
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Users\Admin\Admin.exe
        
        C:\Users\Admin\Admin.exe /r
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Users\Admin\Admin.exe
        
        C:\Users\Admin\Admin.exe /r
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Users\Admin\Admin.exe
        
        C:\Users\Admin\Admin.exe /r
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious behavior: EnumeratesProcesses
        
        PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Admin.exe

Filesize
20KB

MD5
eac66dbf6736f5768ed48f71da21f392

SHA1
6781ea8f567bbd7090c7251e62fb750799f39e39

SHA256
1c8950be7d83f1f3873f823ed0ba54addf10eeb6905303fec87f33e3aa8bc8d1

SHA512
d78b2472774d887c4058cda4c886f72b225a33993e8006821efd17e933a5ceb585ae2f2d5a0663f970efdc871f63ec0a132def02cb5c65917488f622812b0b7d

Download Submit
memory/1156-29-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/1156-32-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/1156-34-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/1156-30-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/1332-35-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/1332-37-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/1332-38-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/1332-33-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/1332-36-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/1572-43-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/1572-41-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/1572-40-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/1572-44-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2020-49-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2020-45-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/2020-46-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2020-47-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/2148-15-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2148-14-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/2148-13-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2148-16-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/2148-19-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2280-4-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2280-1-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/2280-3-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/2280-0-0x0000000076CD3000-0x0000000076CD4000-memory.dmp

Filesize
4KB

Download
memory/2280-12-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2280-2-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2904-25-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2904-28-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/2904-27-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/2904-24-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/3108-58-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/3108-55-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/3108-60-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/3108-56-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/3108-57-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/3724-20-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/3724-22-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/3724-23-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/3724-18-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/4380-52-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/4380-54-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/4380-51-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/4380-50-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/4696-62-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download
memory/4696-61-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/4696-63-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/4696-64-0x0000000076BB0000-0x0000000076DC5000-memory.dmp

Filesize
2.1MB

Download