db311173a61d19031b2dde31ffaa4c35be02e7ae507893d5b7230ba679eab006

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
Size

1.8MB
MD5

fa00efc192838dfe94e4284fa9d515fc
SHA1

9ae2001b4956413e14619a7f7eceb593890e8d0e
SHA256

db311173a61d19031b2dde31ffaa4c35be02e7ae507893d5b7230ba679eab006
SHA512

ca151bcf648dede3135ab89067000d505bb3a9301d21bff699d9263430c5d087b081da7bffc1c4f6cabd76868000cfa4ff25e16b0f83bfb92b3be3d58e738d77
SSDEEP

49152:UVQwEUACw+zgpA8/zqXd/rM8ylXemlSzwCW6bS8:QYAyzqXQlvSEC1R

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000600000001878d-18.dat	acprotect
behavioral1/memory/2524-20-0x00000000008F0000-0x00000000008F9000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1056	tmp0002.exe

Loads dropped DLL 13 IoCs

pid	Process
2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
1056	tmp0002.exe
1056	tmp0002.exe
2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
1056	tmp0002.exe
1056	tmp0002.exe
1056	tmp0002.exe
1056	tmp0002.exe
1056	tmp0002.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}\ = "PriceGong"	tmp0002.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001878d-18.dat	upx
behavioral1/memory/2524-20-0x00000000008F0000-0x00000000008F9000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PriceGong\2.6.5\PriceGongIE.dll	tmp0002.exe
File created	C:\Program Files (x86)\PriceGong\2.6.5\PriceGong.crx	tmp0002.exe
File created	C:\Program Files (x86)\PriceGong\uninst.exe	tmp0002.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp0002.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000190c6-22.dat	nsis_installer_1
behavioral1/files/0x00070000000190c6-22.dat	nsis_installer_2
behavioral1/files/0x00070000000193c1-81.dat	nsis_installer_1
behavioral1/files/0x00070000000193c1-81.dat	nsis_installer_2

Modifies registry class 59 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl\CurVer	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0\0	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl\CLSID	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO\ = "Shopping Assistant Plugin"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\VersionIndependentProgID	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\AppID = "{835315FC-1BF6-4CA9-80CD-F6C158D40692}"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0\FLAGS	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PriceGong\\2.6.5"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl.1\CLSID	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\TypeLib	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl.1	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl.1\CLSID\ = "{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl\CLSID\ = "{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl\CurVer\ = "PriceGongIE.PriceGongCtrl.1"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\ = "PriceGongCtrl Class"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\InprocServer32	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0\HELPDIR	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl\ = "PriceGongCtrl Class"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\ProgID\ = "PriceGongIE.PriceGongCtrl.1"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\InprocServer32\ = "C:\\Program Files (x86)\\PriceGong\\2.6.5\\PriceGongIE.dll"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO.1\CLSID	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO\CLSID\ = "{1631550F-191D-4826-B069-D9439253D926}"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO\CurVer	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\TypeLib	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0\ = "PriceGongIE 1.0 Type Library"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\InprocServer32	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\ProgID	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PriceGongIE.DLL\AppID = "{835315FC-1BF6-4CA9-80CD-F6C158D40692}"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO.1	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO\CLSID	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO\CurVer\ = "PriceFactorIE.PriceGongBHO.1"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\AppID = "{835315FC-1BF6-4CA9-80CD-F6C158D40692}"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO.1\ = "Shopping Assistant Plugin"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\ProgID\ = "PriceFactorIE.PriceGongBHO.1"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{835315FC-1BF6-4CA9-80CD-F6C158D40692}	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\VersionIndependentProgID	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\InprocServer32\ThreadingModel = "Apartment"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\TypeLib\ = "{PriceFactorIELib_CLSID}"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\VersionIndependentProgID\ = "PriceFactorIE.PriceGongBHO"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{835315FC-1BF6-4CA9-80CD-F6C158D40692}\ = "PriceGongIE"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\TypeLib\ = "{8B3372D0-09F0-41A5-8D9B-134E148672FB}"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO.1\CLSID\ = "{1631550F-191D-4826-B069-D9439253D926}"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0\0\win32	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\VersionIndependentProgID\ = "PriceGongIE.PriceGongCtrl"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\InprocServer32\ThreadingModel = "Apartment"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\ = "Shopping Assistant Plugin"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0\FLAGS\ = "0"	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}\1.0\0\win32\ = "C:\\Program Files (x86)\\PriceGong\\2.6.5\\PriceGongIE.dll"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PriceGongIE.DLL	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\ProgID	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl.1\ = "PriceGongCtrl Class"	tmp0002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\Programmable	tmp0002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1631550F-191D-4826-B069-D9439253D926}\InprocServer32\ = "C:\\Program Files (x86)\\PriceGong\\2.6.5\\PriceGongIE.dll"	tmp0002.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1056	2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1056	2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1056	2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1056	2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1056	2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1056	2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1056	2524	fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa00efc192838dfe94e4284fa9d515fc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\nsdA7D4.tmp\tmp0002.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdA7D4.tmp\tmp0002.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\PriceGong\uninst.exe

Filesize
50KB

MD5
3ac3436bb8bc07414f8878bbfae3dc11

SHA1
af08977c093c59699948cdc6ce301a6edd3491df

SHA256
e92dd3873d17369bd3c7f9e027ab0c84eb44c899c972dce655d3c415c7d4ef22

SHA512
5b287a0305f68c0aa8bf3ac7b12d53a7cdefb756b6ce9ebd4e3980a8061d83b1e50b0775b7532245510acd5e411173078dda8a1717f81e294ba8fa679b4ba364

Download Submit
\Users\Admin\AppData\Local\Temp\PriceGongIE.dll

Filesize
408KB

MD5
ce8f11bc0dd6b749cc83778e90326a68

SHA1
cdc530374999045d301f3c7d9380c0b4d1ffa987

SHA256
57624e9b7aa7c7e9d463ca2630fb41af01d5741f3655cae98b2ace7ef7458626

SHA512
a1bd1ac707bb274983741c3d534b5c5f504a02a9845bfecda0bd93cf12b325b749b708d398d1c376baf35a6d9825ec377c141bfd34c61297896c718eb777ec30

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA7D4.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA7D4.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA7D4.tmp\inetc.dll

Filesize
20KB

MD5
134b93f8bd1f82cd2f1b06c878580703

SHA1
29cdbce7a2caf1f7e4d2a139c42336d490074665

SHA256
45153adf50541316468e2b189a0f8127be9fb29e2f920e7eeaa6aceb438db8c4

SHA512
f970c38debb6631dab7369e2bc96237f16a8fd328d9d35a2b54cb688e1807f62cc6d63230afe89ce5c3945097ae4466872c72929a9623adde3ee57bddf54b692

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA7D4.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA7D4.tmp\tmp0002.exe

Filesize
1.7MB

MD5
b05064e78e26f1fb9278e84875ce659a

SHA1
b0604d0fcb49972a5fb4e3f77a8702fafcf267b3

SHA256
c0a571d5ce931ee3c0b479f6c00f584eb314dc9ead6b30c6447f9e060ca18563

SHA512
2402341d9f553253b7f2688302cf4b4df6c18d31cc59d00d18394fce25ca340963c46c6677fba0fa46b753630a72658065c83a9ba1737ba702e30efcbe2014fc

Download Submit
memory/2524-13-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/2524-20-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download