94a2dcfdbce60c902ff131b2304d7b2ecd1c2eb4e84faa391f1c926f27da67cb

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Size

360KB
MD5

aa9bb6ba3dfeca63c997ec2da89fb61c
SHA1

26d783f02245a10c60d291d3f95f071695685fb7
SHA256

94a2dcfdbce60c902ff131b2304d7b2ecd1c2eb4e84faa391f1c926f27da67cb
SHA512

86a5c320062c91319714f331fe40866469c837d301d07b54e8a1e1a60e387d066b2d3058e33a0040fa783bca24705902a34640ee52b4f9ad45776c5db674d463
SSDEEP

6144:U4rvXy29kyG1X1tZuwmzFBPjQ1LcWEi2Keamies6Oo418ufBJBL6Hg9JLaNgkiE1:U4rvXtvu1exHPjPbKvqs689LUg9YWKhj

Score

8^/10

aspackv2 discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4416	netsh.exe
3580	netsh.exe
4848	netsh.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00070000000234e8-6.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\internet = "\"C:\\Windows\\system\\csrss.exe\""	csrss.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AUTOEXEC.BAT	csrss.exe
File opened for modification	C:\Windows\SysWOW64\AUTOEXEC.BAT	csrss.exe
File opened for modification	C:\Windows\SysWOW64\BOOTEX.LOG	cmd.exe
File opened for modification	C:\Windows\SysWOW64\BOOTEX.LOG	cmd.exe
File created	C:\Windows\SysWOW64\PhotoScreensaver.scr	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\scrnsave.scr	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Real\Update_OB\realsched.exe	csrss.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\IsUn0804.exe	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
File created	C:\Windows\IsUn0404.exe	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
File created	C:\Windows\system\csrss.exe	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
File opened for modification	C:\Windows\system\csrss.exe	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
File created	C:\Windows\IsUninst.exe	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Event Triggered Execution: Screensaver 1 TTPs 3 IoCs

Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.

persistence privilege_escalation

Screensaver

T1546.002

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveActive = "1"	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\scrnsave.scr"	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies Control Panel 5 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\scrnsave.scr"	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveActive = "1"	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue = "2"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue = "1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue = "2"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "\"C:\\Windows\\system\\csrss.exe\" \"%1\""	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\UncheckedValue = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\CheckedValue = "0"	csrss.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe
3032	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	csrss.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3404	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
3032	csrss.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3032	3404	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe	87
PID 3404 wrote to memory of 3032	3404	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe	87
PID 3404 wrote to memory of 3032	3404	aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe	87
PID 3032 wrote to memory of 3728	3032	csrss.exe	88
PID 3032 wrote to memory of 3728	3032	csrss.exe	88
PID 3032 wrote to memory of 3728	3032	csrss.exe	88
PID 3032 wrote to memory of 1132	3032	csrss.exe	90
PID 3032 wrote to memory of 1132	3032	csrss.exe	90
PID 3032 wrote to memory of 1132	3032	csrss.exe	90
PID 3728 wrote to memory of 1368	3728	cmd.exe	92
PID 3728 wrote to memory of 1368	3728	cmd.exe	92
PID 3728 wrote to memory of 1368	3728	cmd.exe	92
PID 1368 wrote to memory of 2800	1368	net.exe	93
PID 1368 wrote to memory of 2800	1368	net.exe	93
PID 1368 wrote to memory of 2800	1368	net.exe	93
PID 3728 wrote to memory of 4416	3728	cmd.exe	94
PID 3728 wrote to memory of 4416	3728	cmd.exe	94
PID 3728 wrote to memory of 4416	3728	cmd.exe	94
PID 3728 wrote to memory of 3580	3728	cmd.exe	95
PID 3728 wrote to memory of 3580	3728	cmd.exe	95
PID 3728 wrote to memory of 3580	3728	cmd.exe	95
PID 3728 wrote to memory of 4848	3728	cmd.exe	96
PID 3728 wrote to memory of 4848	3728	cmd.exe	96
PID 3728 wrote to memory of 4848	3728	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa9bb6ba3dfeca63c997ec2da89fb61c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Event Triggered Execution: Screensaver
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\system\csrss.exe
  "C:\Windows\system\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\AUTOEXEC.BAT
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\net.exe
      net stop "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set notifications disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4416
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode enable enable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3580
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system\csrss.exe POCO
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\AUTOEXEC.BAT
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Screensaver

T1546.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Screensaver

T1546.002

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IsUn0404.exe

Filesize
360KB

MD5
aa9bb6ba3dfeca63c997ec2da89fb61c

SHA1
26d783f02245a10c60d291d3f95f071695685fb7

SHA256
94a2dcfdbce60c902ff131b2304d7b2ecd1c2eb4e84faa391f1c926f27da67cb

SHA512
86a5c320062c91319714f331fe40866469c837d301d07b54e8a1e1a60e387d066b2d3058e33a0040fa783bca24705902a34640ee52b4f9ad45776c5db674d463

Download Submit
C:\Windows\SysWOW64\AUTOEXEC.BAT

Filesize
366B

MD5
cf56cc2f83b625e928ca9b0f8aeee2e0

SHA1
46f04dc7ff7fbd70a8383cdb653d406d4bb5e074

SHA256
d07d1b719d993a7969ef14e6940ca373af62aeaf2a91f6d51a895adddc91964d

SHA512
199a7b47ce56f73d3f07bdc0cbfd8a4e5fe5041fad07bce4c6e9e60d86bb23ea460ff24bef81edb8dde8484cdc9fe967f7d324258510ae8a718c4c566cf342da

Download Submit
memory/3032-53-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-54-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-40-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3032-64-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-50-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3032-49-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-51-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-52-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-63-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-62-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-55-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-56-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-57-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-58-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-59-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-60-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3032-61-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3404-39-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3404-0-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/3404-1-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download