8f193d29d6cf3c90b84f85679722f57d625a1f01cd0af233e8612fb0dc5d79f9

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
Size

164KB
MD5

0ed664a2d35eaa5269a4b3d260296350
SHA1

a271696502fa46b9ed8708760bb8daea872d4d1e
SHA256

8f193d29d6cf3c90b84f85679722f57d625a1f01cd0af233e8612fb0dc5d79f9
SHA512

d8cee1fc886ca51105c773aa763f33a6566ff0af3006f5b8919bb74648674edcaee70ed68145ebff7e3d1d6a1eb4e27010f886a82cb153778f2537e40f39763b
SSDEEP

3072:R+qZQOhWL8RYiZ6xUS6n9lBFO1SSAhKGnAlRLUp/fDd2KT9Fk7hKPDFtd2Wi:tQOgLoYiZ6xUSO9lG1SSA63LU72g7o0M

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1800	Recycle.Bin.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Recycle.Bin.exe = "C:\\Recycle.Bin\\Recycle.Bin.exe"	Recycle.Bin.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2508-2-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2508-1-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2508-4-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1800-14-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1800-15-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1800-29-0x0000000000400000-0x000000000047D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Recycle.Bin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	Recycle.Bin.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PhishingFilter	Recycle.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	Recycle.Bin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	Recycle.Bin.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery	Recycle.Bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe
1800	Recycle.Bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe
Token: SeDebugPrivilege	1800	Recycle.Bin.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1212	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	21
PID 2508 wrote to memory of 384	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	3
PID 2508 wrote to memory of 432	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	5
PID 2508 wrote to memory of 492	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	7
PID 2508 wrote to memory of 500	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	8
PID 2508 wrote to memory of 604	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	9
PID 2508 wrote to memory of 680	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	10
PID 2508 wrote to memory of 756	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	11
PID 2508 wrote to memory of 820	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	12
PID 2508 wrote to memory of 864	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	13
PID 2508 wrote to memory of 976	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	15
PID 2508 wrote to memory of 272	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	16
PID 2508 wrote to memory of 276	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	17
PID 2508 wrote to memory of 1064	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	18
PID 2508 wrote to memory of 1104	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	19
PID 2508 wrote to memory of 1168	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	20
PID 2508 wrote to memory of 1212	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	21
PID 2508 wrote to memory of 1260	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	23
PID 2508 wrote to memory of 1676	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	24
PID 2508 wrote to memory of 496	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	25
PID 2508 wrote to memory of 2420	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	26
PID 2508 wrote to memory of 1752	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	27
PID 2508 wrote to memory of 1800	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1800	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1800	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1800	2508	0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1212	1800	Recycle.Bin.exe	21
PID 1800 wrote to memory of 384	1800	Recycle.Bin.exe	3
PID 1800 wrote to memory of 432	1800	Recycle.Bin.exe	5
PID 1800 wrote to memory of 492	1800	Recycle.Bin.exe	7
PID 1800 wrote to memory of 500	1800	Recycle.Bin.exe	8
PID 1800 wrote to memory of 604	1800	Recycle.Bin.exe	9
PID 1800 wrote to memory of 680	1800	Recycle.Bin.exe	10
PID 1800 wrote to memory of 756	1800	Recycle.Bin.exe	11
PID 1800 wrote to memory of 820	1800	Recycle.Bin.exe	12
PID 1800 wrote to memory of 864	1800	Recycle.Bin.exe	13
PID 1800 wrote to memory of 976	1800	Recycle.Bin.exe	15
PID 1800 wrote to memory of 272	1800	Recycle.Bin.exe	16
PID 1800 wrote to memory of 276	1800	Recycle.Bin.exe	17
PID 1800 wrote to memory of 1064	1800	Recycle.Bin.exe	18
PID 1800 wrote to memory of 1104	1800	Recycle.Bin.exe	19
PID 1800 wrote to memory of 1168	1800	Recycle.Bin.exe	20
PID 1800 wrote to memory of 1212	1800	Recycle.Bin.exe	21
PID 1800 wrote to memory of 1260	1800	Recycle.Bin.exe	23
PID 1800 wrote to memory of 1676	1800	Recycle.Bin.exe	24
PID 1800 wrote to memory of 496	1800	Recycle.Bin.exe	25
PID 1800 wrote to memory of 2420	1800	Recycle.Bin.exe	26
PID 1800 wrote to memory of 1752	1800	Recycle.Bin.exe	27
PID 1800 wrote to memory of 2508	1800	Recycle.Bin.exe	29
PID 1800 wrote to memory of 2272	1800	Recycle.Bin.exe	31
PID 1800 wrote to memory of 380	1800	Recycle.Bin.exe	32

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:604
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1260
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:496
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
  2⤵
  PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:820
- C:\Windows\system32\Dwm.exe
  "C:\Windows\system32\Dwm.exe"
  2⤵
  PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:864
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:272

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1064

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0ed664a2d35eaa5269a4b3d260296350_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Recycle.Bin\Recycle.Bin.exe
    "C:\Recycle.Bin\Recycle.Bin.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1800

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:2420

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycle.Bin\Recycle.Bin.exe

Filesize
164KB

MD5
0ed664a2d35eaa5269a4b3d260296350

SHA1
a271696502fa46b9ed8708760bb8daea872d4d1e

SHA256
8f193d29d6cf3c90b84f85679722f57d625a1f01cd0af233e8612fb0dc5d79f9

SHA512
d8cee1fc886ca51105c773aa763f33a6566ff0af3006f5b8919bb74648674edcaee70ed68145ebff7e3d1d6a1eb4e27010f886a82cb153778f2537e40f39763b

Download Submit
C:\Recycle.Bin\config.bin

Filesize
23KB

MD5
9998353b733f7a934ccb95fe818978a4

SHA1
bdd6a09a696a9acb34c4a7b211eddd1da1c345f3

SHA256
a7745c920168ff244c2b3bb0dc6f9d51d287e81c7c8caac0622245e0cccd17bd

SHA512
0523a90695cb0772efac7edf5025b244c08a6b425369fb0ec35ab9f3f93fe79115837a6884176159893190bf97db2af7781b1b286f049796d98b053ef261a7e9

Download Submit
memory/1212-18-0x000000000BAD0000-0x000000000BB1D000-memory.dmp

Filesize
308KB

Download
memory/1212-75-0x000000000BB60000-0x000000000BBB7000-memory.dmp

Filesize
348KB

Download
memory/1800-29-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1800-14-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1800-15-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1800-21-0x00000000002B0000-0x00000000002FD000-memory.dmp

Filesize
308KB

Download
memory/1800-27-0x00000000002B0000-0x00000000002FD000-memory.dmp

Filesize
308KB

Download
memory/1800-26-0x00000000002B0000-0x00000000002FD000-memory.dmp

Filesize
308KB

Download
memory/2508-4-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2508-0-0x0000000001E30000-0x0000000001F20000-memory.dmp

Filesize
960KB

Download
memory/2508-3-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/2508-1-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2508-2-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download