c5267912243de71776eb562ebdf8ccc9e4e102f90e033a343e0aa5816ba75d6a

Analysis

max time kernel
145s
max time network
131s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
Size

3.1MB
MD5

93fe5f8a4450a7e00a6b0cd3d2f91103
SHA1

05f6ada491e7cd3769536ce203d15a3b04751b88
SHA256

c5267912243de71776eb562ebdf8ccc9e4e102f90e033a343e0aa5816ba75d6a
SHA512

0ddd1dca769c3604a078e84eefc1cce076252398ca1f5258c07638156b7c3fd42e7d14326879aeeec6025ec2f8ba51e427ed4b6f5bef5431d3c8ecc661773e2a
SSDEEP

98304:3z6eo4lS/6LD2WWlhyOlYX6+no/uS91OiDbzacfWH3drfZ:3z6eo4lSC/9Wy2Ydo/fFDbzaoKx

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2068	TTINST.scr
2572	INS9F4B.tmp
2752	adobe.scr
3000	reader.scr
2328	reader.scr
2936	adobe.scr
568	_xx_Forvard.exe
2040	_xx_Forvard.exe

Loads dropped DLL 17 IoCs

pid	Process
2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
2068	TTINST.scr
2068	TTINST.scr
2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
3000	reader.scr
2752	adobe.scr
2936	adobe.scr
568	_xx_Forvard.exe
568	_xx_Forvard.exe
568	_xx_Forvard.exe
568	_xx_Forvard.exe
2040	_xx_Forvard.exe
2040	_xx_Forvard.exe
2040	_xx_Forvard.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2056-0-0x0000000000400000-0x00000000007C7000-memory.dmp	upx
behavioral1/files/0x0007000000016d2a-24.dat	upx
behavioral1/memory/2752-32-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2056-43-0x0000000000400000-0x00000000007C7000-memory.dmp	upx
behavioral1/memory/2752-82-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2752-63-0x0000000003290000-0x000000000340B000-memory.dmp	upx
behavioral1/memory/568-125-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/568-136-0x00000000030B0000-0x000000000322B000-memory.dmp	upx
behavioral1/memory/568-173-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2040-182-0x0000000000AC0000-0x0000000000C3B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "C:\\Users\\Admin\\AppData\\Local\\_xx_Forvard.exe"	_xx_Forvard.exe

Maps connected drives based on registry 3 TTPs 8 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	adobe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	reader.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	reader.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	_xx_Forvard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	_xx_Forvard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	adobe.scr

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 2328	3000	reader.scr	34
PID 2752 set thread context of 2936	2752	adobe.scr	35
PID 568 set thread context of 2040	568	_xx_Forvard.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TTINST.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_xx_Forvard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_xx_Forvard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INS9F4B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reader.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reader.scr

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2328	reader.scr

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
2752	adobe.scr
3000	reader.scr
568	_xx_Forvard.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2068	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2068	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2068	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2068	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2068	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2068	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2068	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2572	2068	TTINST.scr	31
PID 2068 wrote to memory of 2572	2068	TTINST.scr	31
PID 2068 wrote to memory of 2572	2068	TTINST.scr	31
PID 2068 wrote to memory of 2572	2068	TTINST.scr	31
PID 2068 wrote to memory of 2572	2068	TTINST.scr	31
PID 2068 wrote to memory of 2572	2068	TTINST.scr	31
PID 2068 wrote to memory of 2572	2068	TTINST.scr	31
PID 2056 wrote to memory of 2752	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2752	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2752	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2752	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2752	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2752	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2752	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	32
PID 2056 wrote to memory of 3000	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	33
PID 2056 wrote to memory of 3000	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	33
PID 2056 wrote to memory of 3000	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	33
PID 2056 wrote to memory of 3000	2056	93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe	33
PID 3000 wrote to memory of 2328	3000	reader.scr	34
PID 3000 wrote to memory of 2328	3000	reader.scr	34
PID 3000 wrote to memory of 2328	3000	reader.scr	34
PID 3000 wrote to memory of 2328	3000	reader.scr	34
PID 3000 wrote to memory of 2328	3000	reader.scr	34
PID 3000 wrote to memory of 2328	3000	reader.scr	34
PID 3000 wrote to memory of 2328	3000	reader.scr	34
PID 3000 wrote to memory of 2328	3000	reader.scr	34
PID 2328 wrote to memory of 1196	2328	reader.scr	21
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2752 wrote to memory of 2936	2752	adobe.scr	35
PID 2328 wrote to memory of 1196	2328	reader.scr	21
PID 2328 wrote to memory of 1196	2328	reader.scr	21
PID 2328 wrote to memory of 1196	2328	reader.scr	21
PID 2328 wrote to memory of 1196	2328	reader.scr	21
PID 2328 wrote to memory of 1196	2328	reader.scr	21
PID 2936 wrote to memory of 568	2936	adobe.scr	36
PID 2936 wrote to memory of 568	2936	adobe.scr	36
PID 2936 wrote to memory of 568	2936	adobe.scr	36
PID 2936 wrote to memory of 568	2936	adobe.scr	36
PID 2936 wrote to memory of 568	2936	adobe.scr	36
PID 2936 wrote to memory of 568	2936	adobe.scr	36
PID 2936 wrote to memory of 568	2936	adobe.scr	36
PID 568 wrote to memory of 2040	568	_xx_Forvard.exe	37
PID 568 wrote to memory of 2040	568	_xx_Forvard.exe	37
PID 568 wrote to memory of 2040	568	_xx_Forvard.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\93fe5f8a4450a7e00a6b0cd3d2f91103_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\TTINST.scr
    "C:\Users\Admin\AppData\Local\Temp\TTINST.scr" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\INS9F4B.tmp
      C:\Users\Admin\AppData\Local\Temp\INS9F4B.tmp /SL2 C:\Users\Admin\AppData\Local\Temp\TTINST.scr 1802802 1806260 59904 /S
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2572
- - C:\Users\Admin\AppData\Local\Temp\adobe.scr
    "C:\Users\Admin\AppData\Local\Temp\adobe.scr" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\adobe.scr
      C:\Users\Admin\AppData\Local\Temp\adobe.scr
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Users\Admin\AppData\Local\_xx_Forvard.exe
        
        "C:\Users\Admin\AppData\Local\_xx_Forvard.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Users\Admin\AppData\Local\_xx_Forvard.exe
        
        C:\Users\Admin\AppData\Local\_xx_Forvard.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2040
- - C:\Users\Admin\AppData\Local\Temp\reader.scr
    "C:\Users\Admin\AppData\Local\Temp\reader.scr" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\reader.scr
      C:\Users\Admin\AppData\Local\Temp\reader.scr
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INS9F4B.tmp

Filesize
312KB

MD5
be56eb03050398af4574efc3f6f2d465

SHA1
f8ae73dcb0743311d53eb88c1de5696ac5dc5f07

SHA256
a69ec515454f36a63fed37e5ea0a03059682dd011ba53a55bf853d32d9331ed4

SHA512
b88dea6bfb914aa02f0ec35bcf9eac6eeca3e4ca8a6e9a590b6bfa6e3ee6f11d565e4c6358e840b4ae4b1cc51a1d3ae4bc29c21d78ab527e72dc2aa2ec9a2af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\reader.scr

Filesize
760KB

MD5
d0918c15f1ce850cf12ebe4fa476bf31

SHA1
94ec45cbd95e9caf1bc47efb04742c4985337fd7

SHA256
fcb5d0539d47e33abf7217691ab528cbabd81bd47a19478e13c1ce40143d5317

SHA512
4fc8d5210c99571e026fa846511997f46cb991ca31a4b361a19dc56895b3cba29a5d47877dadbd30e82432337e42c4b27fdffa7b460d11b86994eaf193f29bef

Download Submit
\Users\Admin\AppData\Local\Temp\TTINST.scr

Filesize
1.8MB

MD5
4d5f3abba6fc810e7eb1c4b16315e7a6

SHA1
20d594132cbfab2e818e25416f1ee663524dce14

SHA256
6fc5fcb82f26c2d96a1ba281c6be1cb7555997a90cbe4dab49c2977b8820dca4

SHA512
51ed0e9420139f338959d9b5cda4c94d2d5e761d5281171da5d2d7edc11a0b701e0940414da44ca8254210e367d64afd0d513792529e701fbef7777a47f38251

Download Submit
\Users\Admin\AppData\Local\Temp\adobe.scr

Filesize
491KB

MD5
be6933dbbb9c24030da14c6730156ba6

SHA1
45a585d25ebf83b0d9145ced20d93fd625fb3f1a

SHA256
9c5420dee09220c90f4742fca76906231eac19ddc6bc4340f5768b6ab047719c

SHA512
da30410ee40d615c6e78f0eaeaef7386f344def3132f32d700cc692e5ae7b1217cf8ffc8ba6ab059e362912d6d39004a3dda63e2160f4d7e5c97e2fe2e35a391

Download Submit
memory/568-173-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/568-125-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/568-130-0x0000000000CB0000-0x0000000000E2B000-memory.dmp

Filesize
1.5MB

Download
memory/568-132-0x0000000000CB0000-0x0000000000E2B000-memory.dmp

Filesize
1.5MB

Download
memory/568-131-0x0000000000CB0000-0x0000000000E2B000-memory.dmp

Filesize
1.5MB

Download
memory/568-136-0x00000000030B0000-0x000000000322B000-memory.dmp

Filesize
1.5MB

Download
memory/1196-101-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1196-58-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/2040-174-0x0000000000AC0000-0x0000000000C3B000-memory.dmp

Filesize
1.5MB

Download
memory/2040-182-0x0000000000AC0000-0x0000000000C3B000-memory.dmp

Filesize
1.5MB

Download
memory/2056-0-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2056-29-0x00000000037A0000-0x000000000391B000-memory.dmp

Filesize
1.5MB

Download
memory/2056-43-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2328-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2328-50-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2328-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2328-113-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2328-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2328-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2328-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2752-82-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2752-63-0x0000000003290000-0x000000000340B000-memory.dmp

Filesize
1.5MB

Download
memory/2752-32-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2936-88-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-85-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-83-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-86-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-87-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-79-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-76-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-74-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-72-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-89-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-90-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-91-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-92-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-93-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-94-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-95-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-96-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-97-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download