Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 18:49

General

  • Target

    a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    a389e09c036ecdf3a84ea4bbe65e8b88

  • SHA1

    0044fb8a60a621d8366ad93e9e99b8e99ea37bf8

  • SHA256

    e22cbaeb92b791e43ee4c70ad079fa2bb31faf721ce507390b41eadc1ca31cad

  • SHA512

    103de51314420c6b84a4ef2e7111beebaa04004ecc3ccacfbc5f86c451e551e97590af570b86d9162a8c32d1e5c777e3bcbafa3edaffe28a8055cec971c4ba9c

  • SSDEEP

    98304:7JYnakukyg+fCpLG9fevK46z4hF42Xp+wsTWgIZY3THkxfqvcQ9:7J+aHDnfCBsfewzcF42Xp+wZgIm3zkxw

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Rms family
  • Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

  • Modifies Windows Firewall 2 TTPs 8 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 19 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a389e09c036ecdf3a84ea4bbe65e8b88_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Users\Admin\AppData\Local\Temp\rms.exe
        "C:\Users\Admin\AppData\Local\Temp\rms.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set allprofiles state off
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3116
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= disabled
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1632
        • C:\Windows\SysWOW64\net.exe
          net stop rserver3
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop rserver3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3952
        • C:\Windows\SysWOW64\net.exe
          net stop Telnet
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3900
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop Telnet
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4896
        • C:\Windows\SysWOW64\sc.exe
          sc config tlntsvr start= disabled
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:5012
        • C:\Windows\SysWOW64\net.exe
          net stop "Service Host Controller"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Service Host Controller"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:648
        • C:\Windows\SysWOW64\net.exe
          net user HelpAssistant /delete
          4⤵
          • Indicator Removal: Network Share Connection Removal
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3824
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user HelpAssistant /delete
            5⤵
            • Indicator Removal: Network Share Connection Removal
            • System Location Discovery: System Language Discovery
            PID:2884
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /delete /tn security /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:920
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall delete rule name="Microsoft Outlook Express"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4324
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall delete rule name="Service Host Controller"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2036
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall delete rule name="•®бв-Їа®жҐбб ¤«п б«г¦Ў Windows"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4912
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall delete rule name="•®бв-Їа®жҐбб ¤«п § ¤ з Windows"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4036
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall delete portopening tcp 57009
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3920
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall delete rule name="cam_server"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1920
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall delete portopening tcp 57011 all
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4968
        • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
          "rutserv.exe" /silentinstall
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:396
        • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
          "rutserv.exe" /firewall
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2636
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s set.reg
          4⤵
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:4360
        • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
          "rutserv.exe" /start
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1132
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1880
  • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
    C:\Users\Admin\AppData\Local\Temp\rutserv.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
      C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1780
      • C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
        C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: SetClipboardViewer
        PID:5116
    • C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
      C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

    Filesize

    264B

    MD5

    1ef443aaf68da2a12fc097379ba08579

    SHA1

    a1e5e036ed6b639a17a6149ae865c648867c420a

    SHA256

    92ca1ebb313825435d48164e3622a6a7880e9215a57b82d2d9c6f9c7a322a142

    SHA512

    d20d86636751635d8cdd04294d4a694b7a412f897b2a409daf8d8b42aa96872bed0b9c2aa9653ceea3cc55d80c77500dfb62f36742e4f3b5e2ef850443f3ddc1

  • C:\Users\Admin\AppData\Local\Temp\ID.txt

    Filesize

    20B

    MD5

    49eea68546f0d8f7bb9ad14a16698199

    SHA1

    526bf522eee7d502af9931a2fc1a4e4f09053971

    SHA256

    bf06442f8f473b624305425ff829e6cc9595027f3219399f0e997a7c0db39f8b

    SHA512

    e9b8157eef33302137f033972683471ceef717031b3f9901d1fcea5e4c53b1139e1286f08da4c06c4389060769b2d33a86cc2f67223d8ccfa3be26e30db9480b

  • C:\Users\Admin\AppData\Local\Temp\Microsoft.VC90.CRT.manifest

    Filesize

    1KB

    MD5

    53213fc8c2cb0d6f77ca6cbd40fff22c

    SHA1

    d8ba81ed6586825835b76e9d566077466ee41a85

    SHA256

    03d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5

    SHA512

    e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb

  • C:\Users\Admin\AppData\Local\Temp\RIPCServer.dll

    Filesize

    145KB

    MD5

    501d1108baff017b9c7d7054995082e3

    SHA1

    ce7408993f25d615785835067bfc7c6731cb7d85

    SHA256

    be88c1319f8741842f3ce7b7606615efb96f0f46fad9321a2b995239ccf826e3

    SHA512

    8dd404d56cf9285e32069c1b774a565269223d30089f0d5b3a100f316cdfd96ff7246d8cc1337dc74b9f970dddc9023fa21c7059185af972d3fcda2204c0a9f8

  • C:\Users\Admin\AppData\Local\Temp\RWLN.dll

    Filesize

    359KB

    MD5

    6d692f1ae8653afb6e478427cacefe1e

    SHA1

    de53d27feeedf1c08e0dc911905c57a383da2626

    SHA256

    fe1aa78691da4a8a944ee9e922e49a1712d620fb728faab135dabe081c088834

    SHA512

    0bbb21f5515eec44aea414d17123eb2275b78db788e927878652fe876bb17f706c395f6a20309c4c7aaef6bce9c280890bce38693a9a1858f7bac9665759af6b

  • C:\Users\Admin\AppData\Local\Temp\dsfVorbisDecoder.dll

    Filesize

    234KB

    MD5

    8e3f59b8c9dfc933fca30edefeb76186

    SHA1

    37a78089d5936d1bc3b60915971604c611a94dbd

    SHA256

    528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

    SHA512

    3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

  • C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll

    Filesize

    1.6MB

    MD5

    ff622a8812d8b1eff8f8d1a32087f9d2

    SHA1

    910615c9374b8734794ac885707ff5370db42ef1

    SHA256

    1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

    SHA512

    1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

  • C:\Users\Admin\AppData\Local\Temp\gdiplus.dll

    Filesize

    1.6MB

    MD5

    871c903a90c45ca08a9d42803916c3f7

    SHA1

    d962a12bc15bfb4c505bb63f603ca211588958db

    SHA256

    f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

    SHA512

    985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

  • C:\Users\Admin\AppData\Local\Temp\msimg32.dll

    Filesize

    3KB

    MD5

    6448b4e0f7a74d8df1cef93b65bd684a

    SHA1

    e7a7f686280b2bd2573b6c3deefd410d922ccd4f

    SHA256

    7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

    SHA512

    15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

  • C:\Users\Admin\AppData\Local\Temp\msvcp90.dll

    Filesize

    556KB

    MD5

    b2eee3dee31f50e082e9c720a6d7757d

    SHA1

    3322840fef43c92fb55dc31e682d19970daf159d

    SHA256

    4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

    SHA512

    8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

  • C:\Users\Admin\AppData\Local\Temp\msvcr90.dll

    Filesize

    637KB

    MD5

    7538050656fe5d63cb4b80349dd1cfe3

    SHA1

    f825c40fee87cc9952a61c8c34e9f6eee8da742d

    SHA256

    e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

    SHA512

    843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

  • C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

    Filesize

    3.9MB

    MD5

    6b00ef267e590b8aec937d4fbaa7c54b

    SHA1

    238f121a3dba5d3a5492cda9010d3f4fb8419a04

    SHA256

    ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a

    SHA512

    bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee

  • C:\Users\Admin\AppData\Local\Temp\rms.exe

    Filesize

    380KB

    MD5

    61c9f3710cf777112e59f1f47728478e

    SHA1

    43d7d5c2a5bd5f81f37a6c864a72240ce18d2868

    SHA256

    02f227aad9b48f00ac53a74533b331bdce4fdef9210685425b6e3335d9c4662e

    SHA512

    f4a803dbb5ac60058553887ee3116356c079f02195d4d18a7e373a6a75e06acd09494f36d4bbc4961310cd7e6273e8cbeb9973a72d82b93f630249bd00ac0c14

  • C:\Users\Admin\AppData\Local\Temp\rutserv.exe

    Filesize

    5.1MB

    MD5

    a9201bd8618bdc4795a95b1755fb93b6

    SHA1

    93eabe79096041e08ad0306a5edb9746bcc7ec50

    SHA256

    923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

    SHA512

    f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

  • C:\Users\Admin\AppData\Local\Temp\set.reg

    Filesize

    19KB

    MD5

    c2da403ccb930592be1b39aefd42b818

    SHA1

    c0b8dbfa97ae9ade84fd65021716ec6313a71363

    SHA256

    ea3e4308fc723a6938f13c7961f476410c0a8191aa6ac74fa2b41d76494e7257

    SHA512

    0f0bc303542ec56b4363c3d54894e2c1b4508fca81870e1b73f198e27240f4aac4faef89ed85bab88bbb318c286ecd6e2ca6ed1dfb42b57faf9e16d044deb865

  • C:\Users\Admin\AppData\Local\Temp\stop.js

    Filesize

    211B

    MD5

    fb5b62a32e853a51359fb598a4d5008f

    SHA1

    f3cc4663189878044c956c1f84b9c32f3d29d2b2

    SHA256

    b1b1b8f753e130e463f02527541389295f9b7d28c331085a2a03d83f8587550f

    SHA512

    9304880a49bf479f8322f19089109b36cf1104fb0b581357560e3fe1c1f31ca379607797d7a757e1e85a9fbde40094b99b4a3c5830172998102d041435ccded8

  • C:\Users\Admin\AppData\Local\Temp\svchosts.exe

    Filesize

    708KB

    MD5

    3b5e40b584904d9beebeea1e4a94ef7e

    SHA1

    88de849817a4b93b83ccb95a1f37f698cee197d9

    SHA256

    73ce0e5045ba4b7bd2f7f2f5a1c3bb1dfd2a9a1c2c48d76dfc529d8a3e217f12

    SHA512

    1125a94d2673105d40a45b0f8c6088bf8f9fff89cdf3d5231e73d1a15ece23bfd8e564fad63707bb4c3a559310666aedf784d78418be27953b22296d89a5faa5

  • C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll

    Filesize

    403KB

    MD5

    6f6bfe02e84a595a56b456f72debd4ee

    SHA1

    90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

    SHA256

    5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

    SHA512

    ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

  • C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll

    Filesize

    685KB

    MD5

    c638bca1a67911af7f9ed67e7b501154

    SHA1

    0fd74d2f1bd78f678b897a776d8bce36742c39b7

    SHA256

    519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

    SHA512

    ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

  • memory/396-81-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/396-82-0x0000000074D20000-0x0000000074D23000-memory.dmp

    Filesize

    12KB

  • memory/396-79-0x0000000074D20000-0x0000000074D23000-memory.dmp

    Filesize

    12KB

  • memory/1132-97-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/1780-105-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

  • memory/1780-96-0x0000000074D20000-0x0000000074D23000-memory.dmp

    Filesize

    12KB

  • memory/2636-85-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/2936-142-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/2936-114-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/2936-135-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/2936-128-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/2936-90-0x0000000074D20000-0x0000000074D23000-memory.dmp

    Filesize

    12KB

  • memory/2936-104-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/2936-149-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/2936-121-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/2936-110-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

  • memory/3940-106-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

  • memory/3940-112-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

  • memory/3940-116-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

  • memory/3940-123-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

  • memory/4296-109-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/4296-100-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/4296-95-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/4296-41-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/5116-103-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB