c562ea2ac0538e2929363c2f173ade929b9c2de429951725162a973e6966e708

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
Size

231KB
MD5

11bf5ba3ddaf306c6660e7cd9d6ee846
SHA1

32467354d7493dd33a235cf0fde784b5dacdee4a
SHA256

c562ea2ac0538e2929363c2f173ade929b9c2de429951725162a973e6966e708
SHA512

3f041a806bcc677c6ceb116cd09c0edff5e596bf9058fde298dbcd0e403beac4c0a41253e6456c4a25fc673af87a8681d229d6080d8e3e1fa261e35b237f4887
SSDEEP

6144:th1WGuG6z4AQ/K79ZQA0HMWXx2cB2zbm88bk0UE:D1WHPQS79qMW0cgmVp

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2616	oeoirieriej.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\oeoirieriej.exe = "C:\\oeoirieriej\\oeoirieriej.exe"	oeoirieriej.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-1-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2616-18-0x0000000000400000-0x0000000000473000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oeoirieriej.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter	oeoirieriej.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	oeoirieriej.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	oeoirieriej.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery	oeoirieriej.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	oeoirieriej.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DBControl	oeoirieriej.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DBControl	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe
2616	oeoirieriej.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
Token: SeDebugPrivilege	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
Token: SeDebugPrivilege	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
Token: SeDebugPrivilege	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe
Token: SeDebugPrivilege	2616	oeoirieriej.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1208	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	21
PID 2328 wrote to memory of 380	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	3
PID 2328 wrote to memory of 428	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	5
PID 2328 wrote to memory of 488	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	7
PID 2328 wrote to memory of 496	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	8
PID 2328 wrote to memory of 596	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	9
PID 2328 wrote to memory of 672	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	10
PID 2328 wrote to memory of 748	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	11
PID 2328 wrote to memory of 812	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	12
PID 2328 wrote to memory of 848	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	13
PID 2328 wrote to memory of 964	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	15
PID 2328 wrote to memory of 272	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	16
PID 2328 wrote to memory of 352	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	17
PID 2328 wrote to memory of 1052	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	18
PID 2328 wrote to memory of 1112	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	19
PID 2328 wrote to memory of 1164	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	20
PID 2328 wrote to memory of 1208	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	21
PID 2328 wrote to memory of 612	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	23
PID 2328 wrote to memory of 836	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	24
PID 2328 wrote to memory of 1804	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	25
PID 2328 wrote to memory of 2204	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	26
PID 2328 wrote to memory of 2392	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	27
PID 2328 wrote to memory of 2136	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	28
PID 2328 wrote to memory of 2616	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2616	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2616	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2616	2328	11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe	31
PID 2616 wrote to memory of 1208	2616	oeoirieriej.exe	21
PID 2616 wrote to memory of 380	2616	oeoirieriej.exe	3
PID 2616 wrote to memory of 428	2616	oeoirieriej.exe	5
PID 2616 wrote to memory of 488	2616	oeoirieriej.exe	7
PID 2616 wrote to memory of 496	2616	oeoirieriej.exe	8
PID 2616 wrote to memory of 596	2616	oeoirieriej.exe	9
PID 2616 wrote to memory of 672	2616	oeoirieriej.exe	10
PID 2616 wrote to memory of 748	2616	oeoirieriej.exe	11
PID 2616 wrote to memory of 812	2616	oeoirieriej.exe	12
PID 2616 wrote to memory of 848	2616	oeoirieriej.exe	13
PID 2616 wrote to memory of 964	2616	oeoirieriej.exe	15
PID 2616 wrote to memory of 272	2616	oeoirieriej.exe	16
PID 2616 wrote to memory of 352	2616	oeoirieriej.exe	17
PID 2616 wrote to memory of 1052	2616	oeoirieriej.exe	18
PID 2616 wrote to memory of 1112	2616	oeoirieriej.exe	19
PID 2616 wrote to memory of 1164	2616	oeoirieriej.exe	20
PID 2616 wrote to memory of 1208	2616	oeoirieriej.exe	21
PID 2616 wrote to memory of 612	2616	oeoirieriej.exe	23
PID 2616 wrote to memory of 836	2616	oeoirieriej.exe	24
PID 2616 wrote to memory of 1804	2616	oeoirieriej.exe	25
PID 2616 wrote to memory of 2204	2616	oeoirieriej.exe	26
PID 2616 wrote to memory of 2392	2616	oeoirieriej.exe	27
PID 2616 wrote to memory of 2136	2616	oeoirieriej.exe	28
PID 2616 wrote to memory of 2328	2616	oeoirieriej.exe	30
PID 2616 wrote to memory of 1596	2616	oeoirieriej.exe	32
PID 2616 wrote to memory of 1532	2616	oeoirieriej.exe	33

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:612
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1804
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
  2⤵
  PID:1596
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  2⤵
  PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:812
- C:\Windows\system32\Dwm.exe
  "C:\Windows\system32\Dwm.exe"
  2⤵
  PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:848
- \\?\C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:272

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1052

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\11bf5ba3ddaf306c6660e7cd9d6ee846_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\oeoirieriej\oeoirieriej.exe
    "C:\oeoirieriej\oeoirieriej.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:2204

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\oeoirieriej\config.bin

Filesize
75KB

MD5
dd45a29f0a2e372d86e7794c2a378cac

SHA1
5dcb86a60d00e7affa2a5f27d3e9e775ff0bf233

SHA256
a03dec0f32995ad6badc92b16dda1d08c4e6b2e37deb7c0ebb1a0841e795b6bc

SHA512
988e1e5f497c3d924702c0a7ac0797b624b7cc2dd0da810ac0812910190239bc4badc257f1ab374ba96ffb2686811a18f2b9bf5d0e7be97dbda7898203afc983

Download Submit
\oeoirieriej\oeoirieriej.exe

Filesize
231KB

MD5
11bf5ba3ddaf306c6660e7cd9d6ee846

SHA1
32467354d7493dd33a235cf0fde784b5dacdee4a

SHA256
c562ea2ac0538e2929363c2f173ade929b9c2de429951725162a973e6966e708

SHA512
3f041a806bcc677c6ceb116cd09c0edff5e596bf9058fde298dbcd0e403beac4c0a41253e6456c4a25fc673af87a8681d229d6080d8e3e1fa261e35b237f4887

Download Submit
memory/1208-74-0x000000000BB60000-0x000000000BBB7000-memory.dmp

Filesize
348KB

Download
memory/1208-14-0x000000000BAD0000-0x000000000BB1D000-memory.dmp

Filesize
308KB

Download
memory/2328-2-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2328-1-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2328-0-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/2616-23-0x00000000003B0000-0x00000000003FD000-memory.dmp

Filesize
308KB

Download
memory/2616-33-0x00000000003B0000-0x00000000003FD000-memory.dmp

Filesize
308KB

Download
memory/2616-25-0x00000000003B0000-0x00000000003FD000-memory.dmp

Filesize
308KB

Download
memory/2616-26-0x00000000003B0000-0x00000000003FD000-memory.dmp

Filesize
308KB

Download
memory/2616-17-0x00000000003B0000-0x00000000003FD000-memory.dmp

Filesize
308KB

Download
memory/2616-18-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download