87a4d6a46713a52c343deff311c0bf3209b3c1e051357100a686fc036b5e1ac4

Analysis

max time kernel
148s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
Size

269KB
MD5

a1d05b81f9dfab937c1db86773780558
SHA1

cad886f1bdf1b9acb6ab47c6519a65292ab84d12
SHA256

87a4d6a46713a52c343deff311c0bf3209b3c1e051357100a686fc036b5e1ac4
SHA512

b86b63df3440612da77d42833ee35a894fb9d3e94b13ec5c2d900951ddbceeeb5053fe28ea454cb4b30dd1f32a486d48c479cf27f519c3d50d08f1cf2f64512f
SSDEEP

6144:QfGIxXCNTAtHPKQwPPQxpIl+GvCrgsADwS01+b0:sMKEHQwvCrgft08b0

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	adprovider.exe

Executes dropped EXE 8 IoCs

pid	Process
2496	adprovider.exe
2756	ACCTRES.exe
1740	api-ms-win-core-delayload-l1-1-0.exe
1912	aaclient.exe
1872	AltTab.exe
1456	api-ms-win-core-string-l1-1-0.exe
340	api-ms-win-core-debug-l1-1-0.exe
1508	api-ms-win-core-errorhandling-l1-1-0.exe

Loads dropped DLL 16 IoCs

pid	Process
1996	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
1996	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
2496	adprovider.exe
2496	adprovider.exe
2756	ACCTRES.exe
2756	ACCTRES.exe
1740	api-ms-win-core-delayload-l1-1-0.exe
1740	api-ms-win-core-delayload-l1-1-0.exe
1912	aaclient.exe
1912	aaclient.exe
1872	AltTab.exe
1872	AltTab.exe
1456	api-ms-win-core-string-l1-1-0.exe
1456	api-ms-win-core-string-l1-1-0.exe
340	api-ms-win-core-debug-l1-1-0.exe
340	api-ms-win-core-debug-l1-1-0.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	api-ms-win-core-errorhandling-l1-1-0.exe
File opened (read-only)	\??\F:	AltTab.exe
File opened (read-only)	\??\F:	api-ms-win-core-debug-l1-1-0.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\adprovider.exe	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\adprovider.nls	adprovider.exe
File opened for modification	C:\Windows\SysWOW64\adprovider.nls	adprovider.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.nls	api-ms-win-core-delayload-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.nls	api-ms-win-core-string-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.nls	api-ms-win-core-debug-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe	api-ms-win-core-debug-l1-1-0.exe
File created	C:\Windows\SysWOW64\ACCTRES.exe	adprovider.exe
File created	C:\Windows\SysWOW64\ACCTRES.nls	ACCTRES.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe	ACCTRES.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.nls	api-ms-win-core-delayload-l1-1-0.exe
File created	C:\Windows\SysWOW64\AltTab.nls	AltTab.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe	AltTab.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.nls	api-ms-win-core-debug-l1-1-0.exe
File created	C:\Windows\SysWOW64\aaclient.exe	api-ms-win-core-delayload-l1-1-0.exe
File created	C:\Windows\SysWOW64\aaclient.nls	aaclient.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.nls	api-ms-win-core-string-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe	api-ms-win-core-string-l1-1-0.exe
File created	C:\Windows\SysWOW64\adprovider.exe	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ACCTRES.nls	ACCTRES.exe
File opened for modification	C:\Windows\SysWOW64\aaclient.nls	aaclient.exe
File created	C:\Windows\SysWOW64\AltTab.exe	aaclient.exe
File opened for modification	C:\Windows\SysWOW64\AltTab.nls	AltTab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACCTRES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-string-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-debug-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adprovider.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-delayload-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AltTab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-errorhandling-l1-1-0.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2496	1996	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe	29
PID 1996 wrote to memory of 2496	1996	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe	29
PID 1996 wrote to memory of 2496	1996	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe	29
PID 1996 wrote to memory of 2496	1996	a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe	29
PID 2496 wrote to memory of 2756	2496	adprovider.exe	30
PID 2496 wrote to memory of 2756	2496	adprovider.exe	30
PID 2496 wrote to memory of 2756	2496	adprovider.exe	30
PID 2496 wrote to memory of 2756	2496	adprovider.exe	30
PID 2756 wrote to memory of 1740	2756	ACCTRES.exe	31
PID 2756 wrote to memory of 1740	2756	ACCTRES.exe	31
PID 2756 wrote to memory of 1740	2756	ACCTRES.exe	31
PID 2756 wrote to memory of 1740	2756	ACCTRES.exe	31
PID 1740 wrote to memory of 1912	1740	api-ms-win-core-delayload-l1-1-0.exe	32
PID 1740 wrote to memory of 1912	1740	api-ms-win-core-delayload-l1-1-0.exe	32
PID 1740 wrote to memory of 1912	1740	api-ms-win-core-delayload-l1-1-0.exe	32
PID 1740 wrote to memory of 1912	1740	api-ms-win-core-delayload-l1-1-0.exe	32
PID 1912 wrote to memory of 1872	1912	aaclient.exe	33
PID 1912 wrote to memory of 1872	1912	aaclient.exe	33
PID 1912 wrote to memory of 1872	1912	aaclient.exe	33
PID 1912 wrote to memory of 1872	1912	aaclient.exe	33
PID 1872 wrote to memory of 1456	1872	AltTab.exe	34
PID 1872 wrote to memory of 1456	1872	AltTab.exe	34
PID 1872 wrote to memory of 1456	1872	AltTab.exe	34
PID 1872 wrote to memory of 1456	1872	AltTab.exe	34
PID 1456 wrote to memory of 340	1456	api-ms-win-core-string-l1-1-0.exe	35
PID 1456 wrote to memory of 340	1456	api-ms-win-core-string-l1-1-0.exe	35
PID 1456 wrote to memory of 340	1456	api-ms-win-core-string-l1-1-0.exe	35
PID 1456 wrote to memory of 340	1456	api-ms-win-core-string-l1-1-0.exe	35
PID 340 wrote to memory of 1508	340	api-ms-win-core-debug-l1-1-0.exe	36
PID 340 wrote to memory of 1508	340	api-ms-win-core-debug-l1-1-0.exe	36
PID 340 wrote to memory of 1508	340	api-ms-win-core-debug-l1-1-0.exe	36
PID 340 wrote to memory of 1508	340	api-ms-win-core-debug-l1-1-0.exe	36

C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\adprovider.exe
  C:\Windows\system32\adprovider.exe -m1996:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\ACCTRES.exe
    C:\Windows\system32\ACCTRES.exe -m1996:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m2496:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe
      C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.exe -m1996:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m2496:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2756:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m1996:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m2496:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2756:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1740:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\AltTab.exe
        
        C:\Windows\system32\AltTab.exe -m1996:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m2496:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2756:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1740:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-string-l1-1-0.exe -m1996:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m2496:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2756:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1740:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m1872:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-debug-l1-1-0.exe -m1996:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m2496:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2756:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1740:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m1872:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1456:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.exe -m1996:C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.exe -sC:\Windows\system32 -m2496:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2756:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1740:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m1872:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1456:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m340:C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe -sC:\Windows\system32
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a1d05b81f9dfab937c1db86773780558_JaffaCakes118.nls

Filesize
96B

MD5
6d02b2e9a891bee4855e6eb7ce7f8491

SHA1
833e4fe8309bff15ad3963ab5c7a8ca50876b501

SHA256
23e4b1908a1d897c0da494cd0fa69fb272d723ff2b2af7412d5b3a7a6e2d5da8

SHA512
e32c44afb487af9632ed59fc95c781c78217dcdba4942a9d51e06e317543504682bdb2cb74add1f97a6033a87c28cf7048d261c17eeaec083169ea9aaba55412

Download Submit
C:\Windows\SysWOW64\ACCTRES.nls

Filesize
96B

MD5
33982dba962763ba5370b98d4e19d1a0

SHA1
e555896f291eb3c41052d07601858f661fdab7c7

SHA256
217a6cbd328f14e745ec2bf3dc8176c9ce57676211b7452c94f4b1b023687499

SHA512
6a85dfc76387913de1d8922ff992c9a049db8d3094301bb5215f2f288839fb2199986efd433c6d31711cfe07bc1741ba71f5430ad623bf3c796ca409f71c217d

Download Submit
C:\Windows\SysWOW64\AltTab.nls

Filesize
96B

MD5
31b48113088ce57fa89402c04de5205c

SHA1
c367f1c2d0ccf96a0a00ae36dd5bf4747836cd8c

SHA256
d90dc2d2b59c7cc50661200e88b77bb0b2bcf26c50587bf32f48cc60c0e68336

SHA512
3bed2a1c222b4caa28aee66837e0ce021e478337cd54152eda7165c5a6aa0dc9d740615a8442364a53ea66950f8525da227b3869ff4bbbf9c58dd21a3344bbba

Download Submit
C:\Windows\SysWOW64\aaclient.nls

Filesize
96B

MD5
176100ac1b9373375e4cfee44bba0396

SHA1
3b76129246f0dc3d5584653d52be4ac49bb264f7

SHA256
5591151f043da561401adb2b2c69558bf2b4593f7cf2aa52ec72cd039cdb9b26

SHA512
5eba45e4037c811f1abc0d0821cbbc67b6f5bb237efefac97bd3272c41ab1136cb153c8bafec147340fc0d5faf38790385bb01dbf07a57b6ea161d281cf7a7de

Download Submit
C:\Windows\SysWOW64\adprovider.nls

Filesize
96B

MD5
9766015f389951b5f00a0cee89a5cee8

SHA1
0bb663ef56342655607652ddc96f8b82d75ba434

SHA256
f0a1388acb5c95957dff2ae7167f2e20b3bd75e91d2472da1fbbc17a1f1d26c3

SHA512
d1e8955a8698833ed0b8b4ec940c6b5fde11b2ab4e49f588bd11b8e3567e6fefc5d8967da601498b77080f81b42418d3889364ab652743fcbab330617aff8c4a

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.nls

Filesize
96B

MD5
f05a34a8c2b5ecd5cd9091be90e844ad

SHA1
60e2bb5e572d2baed1e67513f29310e39f555224

SHA256
a67a7939be53e7a0b8cdec93f8c8f5ae46bf414b35e1c0f68353f30280d95da3

SHA512
4661bc275edc745bf3e55990a35d0a17768fd85968ce8befcbcb4359eec0eed3dbfc434e2547a46b80dd0a61ba0336ef93d38a58d976dd472c470c75699ee863

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.nls

Filesize
96B

MD5
c377721b45063b4bfe55fc2a90c3d44a

SHA1
236d70b4e9d4437d695cb6d63c68c5c58c0e8421

SHA256
de3e1a8aaabad9e76fd1b939ad82f24407aecf50db15c19161dbbe03c0fc600b

SHA512
ba6c299f81053a8eeaf199236743f81ae5d4547e7583fcda476bf76bfb11a2cdfa08db8110b072d834f512e23c0c7aba829d1951857a7c666be6bb93a11c9a0f

Download Submit
\Windows\SysWOW64\adprovider.exe

Filesize
269KB

MD5
a1d05b81f9dfab937c1db86773780558

SHA1
cad886f1bdf1b9acb6ab47c6519a65292ab84d12

SHA256
87a4d6a46713a52c343deff311c0bf3209b3c1e051357100a686fc036b5e1ac4

SHA512
b86b63df3440612da77d42833ee35a894fb9d3e94b13ec5c2d900951ddbceeeb5053fe28ea454cb4b30dd1f32a486d48c479cf27f519c3d50d08f1cf2f64512f

Download Submit
memory/340-129-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/340-125-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/340-127-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/340-145-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1456-116-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1456-107-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1456-105-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1508-144-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1740-50-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1740-66-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1872-104-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1872-86-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1872-89-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1912-67-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1912-77-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1996-2-0x000000000048C000-0x00000000004CE000-memory.dmp

Filesize
264KB

Download
memory/1996-15-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1996-7-0x00000000037E0000-0x00000000038B6000-memory.dmp

Filesize
856KB

Download
memory/1996-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1996-1-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2496-31-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2496-13-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2756-49-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2756-34-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2756-29-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download