0e8bc46c91e45042af2997416d79997903702a12451d98b93ca24ff3b70547a8

Analysis

max time kernel
1s
max time network
5s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17/03/2025, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Size

37KB
MD5

7d7898b8b4e7957c4a0bb5fdfae7d2b8
SHA1

47dca991b32e60d367be2c2384cb5681428272e3
SHA256

0e8bc46c91e45042af2997416d79997903702a12451d98b93ca24ff3b70547a8
SHA512

1fcae93785d6fc9021cbc44f2f139ce5a3401c8d27623fbac549523593915d4b57655e8079dd7afdc469fd042f77ceee8c171c86847e596d4a4e248ed4065f8e
SSDEEP

768:MYuwqgY48mWxEgfXmBN0ldWxOFfXFQ30ABVvtpG/oMM:MYwIWT+BqldWxUSESvtp8oMM

Score

7^/10

discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00100000000122f3-4.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fvxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe"	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bntmle.dll	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
File opened for modification	C:\Windows\SysWOW64\hleuub.exe	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
File created	C:\Windows\SysWOW64\hleuub.exe	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
File opened for modification	C:\WINDOWS\SysWOW64\NOTEPAD.EXE	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/816-0-0x00000000004A0000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x00100000000122f3-4.dat	upx
behavioral1/memory/816-11-0x00000000721F0000-0x00000000721F8000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\Bntmle.dll"	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
Token: SeDebugPrivilege	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 368	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	3
PID 816 wrote to memory of 368	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	3
PID 816 wrote to memory of 368	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	3
PID 816 wrote to memory of 380	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	4
PID 816 wrote to memory of 380	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	4
PID 816 wrote to memory of 380	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	4
PID 816 wrote to memory of 412	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	5
PID 816 wrote to memory of 412	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	5
PID 816 wrote to memory of 412	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	5
PID 816 wrote to memory of 464	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	6
PID 816 wrote to memory of 464	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	6
PID 816 wrote to memory of 464	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	6
PID 816 wrote to memory of 480	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	7
PID 816 wrote to memory of 480	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	7
PID 816 wrote to memory of 480	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	7
PID 816 wrote to memory of 488	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	8
PID 816 wrote to memory of 488	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	8
PID 816 wrote to memory of 488	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	8
PID 816 wrote to memory of 588	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	9
PID 816 wrote to memory of 588	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	9
PID 816 wrote to memory of 588	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	9
PID 816 wrote to memory of 664	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	10
PID 816 wrote to memory of 664	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	10
PID 816 wrote to memory of 664	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	10
PID 816 wrote to memory of 748	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	11
PID 816 wrote to memory of 748	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	11
PID 816 wrote to memory of 748	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	11
PID 816 wrote to memory of 796	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	12
PID 816 wrote to memory of 796	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	12
PID 816 wrote to memory of 796	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	12
PID 816 wrote to memory of 848	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	13
PID 816 wrote to memory of 848	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	13
PID 816 wrote to memory of 848	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	13
PID 816 wrote to memory of 984	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	15
PID 816 wrote to memory of 984	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	15
PID 816 wrote to memory of 984	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	15
PID 816 wrote to memory of 284	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	16
PID 816 wrote to memory of 284	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	16
PID 816 wrote to memory of 284	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	16
PID 816 wrote to memory of 1012	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	17
PID 816 wrote to memory of 1012	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	17
PID 816 wrote to memory of 1012	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	17
PID 816 wrote to memory of 1032	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	18
PID 816 wrote to memory of 1032	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	18
PID 816 wrote to memory of 1032	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	18
PID 816 wrote to memory of 1196	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	19
PID 816 wrote to memory of 1196	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	19
PID 816 wrote to memory of 1196	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	19
PID 816 wrote to memory of 1296	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	20
PID 816 wrote to memory of 1296	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	20
PID 816 wrote to memory of 1296	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	20
PID 816 wrote to memory of 1336	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	21
PID 816 wrote to memory of 1336	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	21
PID 816 wrote to memory of 1336	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	21
PID 816 wrote to memory of 1456	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	23
PID 816 wrote to memory of 1456	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	23
PID 816 wrote to memory of 1456	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	23
PID 816 wrote to memory of 1660	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	24
PID 816 wrote to memory of 1660	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	24
PID 816 wrote to memory of 1660	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	24
PID 816 wrote to memory of 1740	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	25
PID 816 wrote to memory of 1740	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	25
PID 816 wrote to memory of 1740	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	25
PID 816 wrote to memory of 2484	816	JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe	26

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:588
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1660
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1740
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:664
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:796
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1296
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1012
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1032
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1196
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1456
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2484
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2520
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d7898b8b4e7957c4a0bb5fdfae7d2b8.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\notepad.exe
    notepad "C:\Users\Admin\AppData\Local\Temp\Message"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Message

Filesize
4KB

MD5
b5ef6709e78ca53b6cac52882f8a898b

SHA1
8cb9e4458288769c62542be7a48c6f121a3c75c1

SHA256
8e57484bc958e28936651967e7be05b82b08def09536ea0f1742c4737d0bbb21

SHA512
160678c962184c07d10bd1ee9074a03183beefd0c58fd752a360b48d86663a7c5c178818457a0a99e997481fde60461e4809fd336625ac70c6703f89b86c87cd

Download Submit
\Windows\SysWOW64\Bntmle.dll

Filesize
10KB

MD5
f1a1b08fc928cda8d8063110ce46af23

SHA1
221a5a6b20610408f9dce95db73f75299bad03d9

SHA256
3fd8acaff2475aca133cf2abe55f87be2c67d10135eeee029d3bfc76d92cd484

SHA512
e4bd929bf86ab8e2dc91f70007c796c458d0296eaccd70f8459cd49af01d69b74ba182ff78507fe5c36aff48737aa203044e6a80fa0af4dfa11ced75824868a2

Download Submit
memory/816-0-0x00000000004A0000-0x00000000004B7000-memory.dmp

Filesize
92KB

Download
memory/816-1-0x00000000774E0000-0x00000000774E1000-memory.dmp

Filesize
4KB

Download
memory/816-2-0x00000000774DF000-0x00000000774E0000-memory.dmp

Filesize
4KB

Download
memory/816-11-0x00000000721F0000-0x00000000721F8000-memory.dmp

Filesize
32KB

Download