13f845bb8c50f726c6bce0bbce429dd23fb87c3dbc203c5c1236ab28768c8261

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
Size

175KB
MD5

1aec6a8db083983fd31f5c335165e3a1
SHA1

f4ff90d4142375d96b96256e940e96eee3b28982
SHA256

13f845bb8c50f726c6bce0bbce429dd23fb87c3dbc203c5c1236ab28768c8261
SHA512

27e2c6a977e70194a3f30726d220bcfda81b726e33c814f729d9d5f60769f2fd51d152ad46a721ea256b456946a61016af7b391849b7e1aab5b8f82e0e980e8f
SSDEEP

3072:1s/hHWcotWIout3f0333vg52mtwpS01wj1Nku3ZcjNyiEsY/NhKjkgUVkdJew/:1oothoS3vtEPG1Wu3ZcjNyDs3wVkdJek

Score

8^/10

evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2504	netsh.exe

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2232	ipzyab.exe
2356	ipzyab.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
2232	ipzyab.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D10EDD2A-A790-8660-7319-6F68540EB825} = "C:\\Users\\Admin\\AppData\\Roaming\\Ukmyky\\ipzyab.exe"	ipzyab.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2560 set thread context of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2232 set thread context of 2356	2232	ipzyab.exe	33
PID 1956 set thread context of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Privacy	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\28F82C81-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe
2356	ipzyab.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
Token: SeSecurityPrivilege	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
Token: SeSecurityPrivilege	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
Token: SeManageVolumePrivilege	660	WinMail.exe
Token: SeSecurityPrivilege	2012	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
660	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 2560 wrote to memory of 1956	2560	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	28
PID 1956 wrote to memory of 2848	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2848	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2848	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2848	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2232	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2232	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2232	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2232	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	31
PID 2848 wrote to memory of 2504	2848	cmd.exe	32
PID 2848 wrote to memory of 2504	2848	cmd.exe	32
PID 2848 wrote to memory of 2504	2848	cmd.exe	32
PID 2848 wrote to memory of 2504	2848	cmd.exe	32
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2232 wrote to memory of 2356	2232	ipzyab.exe	33
PID 2356 wrote to memory of 1048	2356	ipzyab.exe	17
PID 2356 wrote to memory of 1048	2356	ipzyab.exe	17
PID 2356 wrote to memory of 1048	2356	ipzyab.exe	17
PID 2356 wrote to memory of 1048	2356	ipzyab.exe	17
PID 2356 wrote to memory of 1048	2356	ipzyab.exe	17
PID 2356 wrote to memory of 1064	2356	ipzyab.exe	18
PID 2356 wrote to memory of 1064	2356	ipzyab.exe	18
PID 2356 wrote to memory of 1064	2356	ipzyab.exe	18
PID 2356 wrote to memory of 1064	2356	ipzyab.exe	18
PID 2356 wrote to memory of 1064	2356	ipzyab.exe	18
PID 2356 wrote to memory of 1120	2356	ipzyab.exe	20
PID 2356 wrote to memory of 1120	2356	ipzyab.exe	20
PID 2356 wrote to memory of 1120	2356	ipzyab.exe	20
PID 2356 wrote to memory of 1120	2356	ipzyab.exe	20
PID 2356 wrote to memory of 1120	2356	ipzyab.exe	20
PID 2356 wrote to memory of 1956	2356	ipzyab.exe	28
PID 2356 wrote to memory of 1956	2356	ipzyab.exe	28
PID 2356 wrote to memory of 1956	2356	ipzyab.exe	28
PID 2356 wrote to memory of 1956	2356	ipzyab.exe	28
PID 2356 wrote to memory of 1956	2356	ipzyab.exe	28
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2012	1956	1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe	35
PID 2356 wrote to memory of 660	2356	ipzyab.exe	34
PID 2356 wrote to memory of 660	2356	ipzyab.exe	34
PID 2356 wrote to memory of 660	2356	ipzyab.exe	34
PID 2356 wrote to memory of 660	2356	ipzyab.exe	34
PID 2356 wrote to memory of 660	2356	ipzyab.exe	34

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1048

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\1aec6a8db083983fd31f5c335165e3a1_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp456e3ac8.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Ukmyky\ipzyab.exe"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2504
  - - C:\Users\Admin\AppData\Roaming\Ukmyky\ipzyab.exe
      "C:\Users\Admin\AppData\Roaming\Ukmyky\ipzyab.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Users\Admin\AppData\Roaming\Ukmyky\ipzyab.exe
        
        C:\Users\Admin\AppData\Roaming\Ukmyky\ipzyab.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp94c31f45.bat"
      4⤵
      Deletes itself
      Suspicious use of AdjustPrivilegeToken
      PID:2012

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
911d7875d4268950fbf3614cbdf31a17

SHA1
4bf88237ab5a0b37b79a1dbaa1fc0e50d7dd99cd

SHA256
bb7eb3e93ede7c8b684334c2fdeb329aae01de9a454a4d99ed7b50185ac19b6d

SHA512
8a3148442564c5ea548a26876a51463a53e594008aa5cb2d19457d2e76b87ccd940afcc5611fa3d227ed907a2b85fac001db848cc0cf8c597b5afce370daabd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp456e3ac8.bat

Filesize
202B

MD5
e0a6be5835ccb13c4ad785b4bca1a3c0

SHA1
015b3062abc9d4a9286c9864f22dcf810c081026

SHA256
d820d511c7ec73d9ff3419c5aad7bd28bd8bda94e0aaf7b404cee1655e224ac2

SHA512
d7e34b925deb003aa651244935b58946f8d6d388d5963420ffd9d7f2cc3ae8c8c6e7fe764fb7d430028eff7f5783e6e54489770e43b70575e35cea4c6434928d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94c31f45.bat

Filesize
271B

MD5
a9cd53a5d3a0086dc93d3a5353997571

SHA1
00e0e9dfef4c2a2d949a7c16e0e5ff6edb267e92

SHA256
6d6ae459733821f5d73e8b83d131d917797b98ed2b3bb451d4d1bfa745c1e2ce

SHA512
c94b27149d2d0c1272cc0be321a431730e9d70ed8d44da8c59f16c079224cd6020fb50064edb4fc39ff33f8f354ec889d5ecd19e491a6689ebb55418c4f5316c

Download Submit
C:\Users\Admin\AppData\Roaming\Yfol\yxtoupz.ozb

Filesize
380B

MD5
37e321e236f3d0dbb7d9b69be11c9303

SHA1
0fa8fe8c6ea9b96e970f9750a4243bc7e89b86aa

SHA256
33d39de031ca4b4d92f4c0f40f7f18d4d0a80cf18f162ff0070378650ebca3ef

SHA512
65f2facbee99eaa21a4c250c531bb6d394c8ec0b17dd03f0b01e4dfc8d575ed784b568ec1380669bb17c8d4fb35433b801d4513262bc8b8ea3f9fb365bcb823b

Download Submit
\Users\Admin\AppData\Roaming\Ukmyky\ipzyab.exe

Filesize
175KB

MD5
041eb4cf7c5495c4571560f0e561898c

SHA1
ecd22d742352f5220f89c6333b1b53e071a34e1b

SHA256
f18fab901ebd326299546722864cfdafd286c9128d584d28cd4956991318cf40

SHA512
e7305d565e9b4b672d5347159183ac51424236879766d2d0ffa66bea4cf1eda435efa458c5039c295eaab88fc29232e62137fa279b03d2c5f8be977c39db5237

Download Submit
memory/1048-49-0x0000000001DC0000-0x0000000001DE8000-memory.dmp

Filesize
160KB

Download
memory/1048-51-0x0000000001DC0000-0x0000000001DE8000-memory.dmp

Filesize
160KB

Download
memory/1048-52-0x0000000001DC0000-0x0000000001DE8000-memory.dmp

Filesize
160KB

Download
memory/1048-50-0x0000000001DC0000-0x0000000001DE8000-memory.dmp

Filesize
160KB

Download
memory/1064-54-0x0000000001F30000-0x0000000001F58000-memory.dmp

Filesize
160KB

Download
memory/1064-55-0x0000000001F30000-0x0000000001F58000-memory.dmp

Filesize
160KB

Download
memory/1064-56-0x0000000001F30000-0x0000000001F58000-memory.dmp

Filesize
160KB

Download
memory/1064-57-0x0000000001F30000-0x0000000001F58000-memory.dmp

Filesize
160KB

Download
memory/1120-59-0x0000000002920000-0x0000000002948000-memory.dmp

Filesize
160KB

Download
memory/1120-60-0x0000000002920000-0x0000000002948000-memory.dmp

Filesize
160KB

Download
memory/1120-62-0x0000000002920000-0x0000000002948000-memory.dmp

Filesize
160KB

Download
memory/1120-61-0x0000000002920000-0x0000000002948000-memory.dmp

Filesize
160KB

Download
memory/1956-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1956-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-69-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1956-81-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1956-79-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1956-77-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1956-75-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1956-73-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1956-71-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1956-68-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/1956-67-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/1956-66-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/1956-65-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/1956-64-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/1956-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-219-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-220-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/1956-25-0x0000000000280000-0x00000000002DF000-memory.dmp

Filesize
380KB

Download
memory/1956-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2232-186-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2232-26-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2232-31-0x0000000000340000-0x000000000039F000-memory.dmp

Filesize
380KB

Download
memory/2356-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2356-426-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2560-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2560-28-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download