7aa00be0182bed668c5c6a27de82cb08b5057e401c91dbb7495b691ed32efb8f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 01:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea52dbe5a212d85470f10c01258bda70_JaffaCakes118.rtf
Size

408KB
MD5

ea52dbe5a212d85470f10c01258bda70
SHA1

ece264befa61b1cdc62940602ba2fd549edabe0b
SHA256

7aa00be0182bed668c5c6a27de82cb08b5057e401c91dbb7495b691ed32efb8f
SHA512

ec724f657cd13b270186336a89ac8239354b304af6d6df52b9c5c13c173ba9069c2521dfe32764932668f4616317772929e85ef84df27932d31b989bf40a91bd
SSDEEP

12288:9/QaP76J5TI+RwJCf2QpRCtTKlfAkn3zqWmIpFv:ZOTI+CQPCSAkn3zqaL

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2092	2960	cmd.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2436	2960	cmd.exe	27

Executes dropped EXE 1 IoCs

pid	Process
1644	saver.scr

Loads dropped DLL 3 IoCs

pid	Process
1284	cmd.exe
1644	saver.scr
1644	saver.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saver.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016cb7-39.dat	nsis_installer_2
behavioral1/files/0x0006000000016d5e-41.dat	nsis_installer_1
behavioral1/files/0x0006000000016d5e-41.dat	nsis_installer_2

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2272	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
560	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2960	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2960	WINWORD.EXE
2960	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2092	2960	WINWORD.EXE	28
PID 2960 wrote to memory of 2092	2960	WINWORD.EXE	28
PID 2960 wrote to memory of 2092	2960	WINWORD.EXE	28
PID 2960 wrote to memory of 2092	2960	WINWORD.EXE	28
PID 2092 wrote to memory of 2336	2092	cmd.exe	30
PID 2092 wrote to memory of 2336	2092	cmd.exe	30
PID 2092 wrote to memory of 2336	2092	cmd.exe	30
PID 2092 wrote to memory of 2336	2092	cmd.exe	30
PID 2336 wrote to memory of 1284	2336	cmd.exe	31
PID 2336 wrote to memory of 1284	2336	cmd.exe	31
PID 2336 wrote to memory of 1284	2336	cmd.exe	31
PID 2336 wrote to memory of 1284	2336	cmd.exe	31
PID 1284 wrote to memory of 2272	1284	cmd.exe	33
PID 1284 wrote to memory of 2272	1284	cmd.exe	33
PID 1284 wrote to memory of 2272	1284	cmd.exe	33
PID 1284 wrote to memory of 2272	1284	cmd.exe	33
PID 2960 wrote to memory of 2436	2960	WINWORD.EXE	32
PID 2960 wrote to memory of 2436	2960	WINWORD.EXE	32
PID 2960 wrote to memory of 2436	2960	WINWORD.EXE	32
PID 2960 wrote to memory of 2436	2960	WINWORD.EXE	32
PID 1284 wrote to memory of 560	1284	cmd.exe	35
PID 1284 wrote to memory of 560	1284	cmd.exe	35
PID 1284 wrote to memory of 560	1284	cmd.exe	35
PID 1284 wrote to memory of 560	1284	cmd.exe	35
PID 2436 wrote to memory of 2568	2436	cmd.exe	36
PID 2436 wrote to memory of 2568	2436	cmd.exe	36
PID 2436 wrote to memory of 2568	2436	cmd.exe	36
PID 2436 wrote to memory of 2568	2436	cmd.exe	36
PID 1284 wrote to memory of 2684	1284	cmd.exe	38
PID 1284 wrote to memory of 2684	1284	cmd.exe	38
PID 1284 wrote to memory of 2684	1284	cmd.exe	38
PID 1284 wrote to memory of 2684	1284	cmd.exe	38
PID 1284 wrote to memory of 2644	1284	cmd.exe	39
PID 1284 wrote to memory of 2644	1284	cmd.exe	39
PID 1284 wrote to memory of 2644	1284	cmd.exe	39
PID 1284 wrote to memory of 2644	1284	cmd.exe	39
PID 2644 wrote to memory of 2368	2644	cmd.exe	40
PID 2644 wrote to memory of 2368	2644	cmd.exe	40
PID 2644 wrote to memory of 2368	2644	cmd.exe	40
PID 2644 wrote to memory of 2368	2644	cmd.exe	40
PID 1284 wrote to memory of 2612	1284	cmd.exe	41
PID 1284 wrote to memory of 2612	1284	cmd.exe	41
PID 1284 wrote to memory of 2612	1284	cmd.exe	41
PID 1284 wrote to memory of 2612	1284	cmd.exe	41
PID 1284 wrote to memory of 2896	1284	cmd.exe	42
PID 1284 wrote to memory of 2896	1284	cmd.exe	42
PID 1284 wrote to memory of 2896	1284	cmd.exe	42
PID 1284 wrote to memory of 2896	1284	cmd.exe	42
PID 2896 wrote to memory of 2736	2896	cmd.exe	43
PID 2896 wrote to memory of 2736	2896	cmd.exe	43
PID 2896 wrote to memory of 2736	2896	cmd.exe	43
PID 2896 wrote to memory of 2736	2896	cmd.exe	43
PID 1284 wrote to memory of 2776	1284	cmd.exe	44
PID 1284 wrote to memory of 2776	1284	cmd.exe	44
PID 1284 wrote to memory of 2776	1284	cmd.exe	44
PID 1284 wrote to memory of 2776	1284	cmd.exe	44
PID 1284 wrote to memory of 2492	1284	cmd.exe	45
PID 1284 wrote to memory of 2492	1284	cmd.exe	45
PID 1284 wrote to memory of 2492	1284	cmd.exe	45
PID 1284 wrote to memory of 2492	1284	cmd.exe	45
PID 2492 wrote to memory of 2208	2492	cmd.exe	46
PID 2492 wrote to memory of 2208	2492	cmd.exe	46
PID 2492 wrote to memory of 2208	2492	cmd.exe	46
PID 2492 wrote to memory of 2208	2492	cmd.exe	46

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ea52dbe5a212d85470f10c01258bda70_JaffaCakes118.rtf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\DqFm.cMD"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\hondi.cmd
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASkKILL /F /IM winword.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\saver.scr
        
        "C:\Users\Admin\AppData\Local\Temp\saver.scr"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\DqFm.cMD"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DqFm.cMD

Filesize
185B

MD5
331108e3ae72f58ea3bb7834a0bfd92b

SHA1
2c22ea35a8892eba2e592d037585c0aae97a9cb3

SHA256
047768e32d348fa1f40cfe28867c8fb54ac9b0e1f834f666ec3b73c576337f46

SHA512
108a9ced437ba977ee09f5df6555ae62711ec79f1d3d85b4887ff8b9cecac74a0497a20371e6f028b5ae4ac476532941adf9be84c8fb707d38a586cb44cdf53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hondi.cmd

Filesize
678B

MD5
f90123c82bf798e77c09f550620dc3ad

SHA1
8a85eb320838d0111fd33c161ed5aaa5c3cb46fd

SHA256
ac3bcbd34f5db23f09f8a90cb13fde990f28d5c24f22f3d8bf16904233889ab2

SHA512
97721e31e835b33ef8822e8a9ac6050803b1fd9f9e65a89426e595c4f928623dcb2fa194311c6bf4c6d071a0974b06a7b7ba19a6c147d67faf84abeac70d4624

Download Submit
C:\Users\Admin\AppData\Local\Temp\part1.bin

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\part2.bin

Filesize
188KB

MD5
e49cbc7c3e1824b8d89ac72b2de10fde

SHA1
d2afc02c6b3eebb59d6f8995906df34ed75cd0ee

SHA256
1ce7ca2f90062c91cf0cdd7215d2b385a407f9f16cc5db7d42856e308432ddeb

SHA512
656c69f82414cf667e9c5d689aed83dfd76322f03e49684593cfaf1e1dfbb40c52cefdf2a324b8f1a1b121d7937eb1917ea60439c5b4f0c502d78420f144e708

Download Submit
C:\Users\Admin\AppData\Local\Temp\trbatehtqevyay.ScT

Filesize
705B

MD5
233a553475e6740debe603b652da5001

SHA1
06c6c41d1f209c1e60759871ce51cca3a5e7ad4c

SHA256
55cffb71cb2150fd7d16c1b3036df4eabb4400dbe65910d48babf9311fd1a6f5

SHA512
82c276c2de98548d66cacad4594e7b9f969c91f0faf8a7b7da7e8eea6a7356e8abd21a73047bb539ae909652079f21b49d2aff51db8b44e94c930aa630a08cda

Download Submit
C:\Users\Admin\appData\loCal\TeMp\gondi.doc

Filesize
408B

MD5
b3129b6a95db680cf911660ab17d7a13

SHA1
3c1a4fa57b8eb5d7655f6674718b331d1178ebce

SHA256
56232b5be28b819dc07af5450612928f51fe29cfaa6bfe86a3dfdbfc3c5ee3b2

SHA512
9d41200000dc3fc9f5aa0f9e7090ff8ad56befd9a06fec202eff9b3d2a48404b65e41bdf6d568633a05c33552c40c15defa286bfac70eff5ff622a5b7bcb3114

Download Submit
\Users\Admin\AppData\Local\Temp\heading.dll

Filesize
64KB

MD5
faf3f88d7b05504139f10bae2a358ff4

SHA1
fd8f776b0995fc73dcc7f6a402902bd4f4981cca

SHA256
f972aa6516b3194a9ffa55340f0fdd5d0b783c945e731a87b1ebadc486d16960

SHA512
7b4ab505c09aa54fd147f553f21e593716c2f0ef41e01b4ad81fd4ab8130dd1b4ddd248bb1d9f457296e8965efc964dab92c3ea90dbb01b6c2459e747834a87a

Download Submit
\Users\Admin\AppData\Local\Temp\nstB2DC.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
\Users\Admin\AppData\Local\Temp\saver.scr

Filesize
188KB

MD5
105cded58427a3a53067e017740580c6

SHA1
91f935ae49802f23367c035370e27373aa4dbd5d

SHA256
f10392cc1b5c72ce62454e96a481452ffdb4ad2b781a4c795a875f8d11687066

SHA512
26853b35037ef3a4a706c3e7a30cd9f8e85e33c5a91413b6c437381f0c77d5ed03489d1cc427ad56f9313001df908547c6957b99dab349c49ed43dbe7828d522

Download Submit
memory/1644-58-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2960-0-0x000000002F281000-0x000000002F282000-memory.dmp

Filesize
4KB

Download
memory/2960-37-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download
memory/2960-2-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download
memory/2960-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download