Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2025, 07:54

General

  • Target

    JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe

  • Size

    784KB

  • MD5

    f556539439da85b1bfb46dc17444349c

  • SHA1

    c805585d22c592adca4b35ec0ddcce0b1156836b

  • SHA256

    44a8a3928c9f10f6b19bed527d7ce020db4f3a8efa635e5ef77ffca47ebfdfaa

  • SHA512

    bfeebc9f6fcfd1e830eba4a74587ecde805abcef8d41865e603151ee6f81bce7b2dd1af28036bdec548f49ea2039dde1bd1988a88bf6564a26afc9db6c9fd832

  • SSDEEP

    24576:iFmcH5C0jCDwUvNprLyIj6bjgICOj5mWeHoFS:iFmOODvfr5j4jQOFmfHoFS

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 19 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 4 IoCs
  • Runs ping.exe 1 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f556539439da85b1bfb46dc17444349c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
          4⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          PID:3004
    • C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4240
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svchost.exe" /t REG_SZ /d "C:\Windows\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4716
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4200
    • C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      2⤵
        PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3112
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 1 -w 3000
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:968
        • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
          "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5008
          • C:\Windows\Temp\svchost.exe
            C:\Windows\Temp\svchost.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5076
          • C:\Windows\Temp\svchost.exe
            C:\Windows\Temp\svchost.exe
            4⤵
              PID:4380
          • C:\Windows\SysWOW64\PING.EXE
            ping 1.1.1.1 -n 1 -w 3000
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3928
          • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
            "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:388
            • C:\Windows\Temp\svchost.exe
              C:\Windows\Temp\svchost.exe
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3108
            • C:\Windows\Temp\svchost.exe
              C:\Windows\Temp\svchost.exe
              4⤵
                PID:748
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              3⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5088
            • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
              "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3884
              • C:\Windows\Temp\svchost.exe
                C:\Windows\Temp\svchost.exe
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2932
              • C:\Windows\Temp\svchost.exe
                C:\Windows\Temp\svchost.exe
                4⤵
                  PID:2224
              • C:\Windows\SysWOW64\PING.EXE
                ping 1.1.1.1 -n 1 -w 3000
                3⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1756
              • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
                "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:544
                • C:\Windows\Temp\svchost.exe
                  C:\Windows\Temp\svchost.exe
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:1704
                • C:\Windows\Temp\svchost.exe
                  C:\Windows\Temp\svchost.exe
                  4⤵
                    PID:4956
                • C:\Windows\SysWOW64\PING.EXE
                  ping 1.1.1.1 -n 1 -w 3000
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4772
                • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
                  "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:220
                  • C:\Windows\Temp\svchost.exe
                    C:\Windows\Temp\svchost.exe
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:2004
                  • C:\Windows\Temp\svchost.exe
                    C:\Windows\Temp\svchost.exe
                    4⤵
                      PID:588
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 1.1.1.1 -n 1 -w 3000
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:4860
                  • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
                    "C:\Users\Admin\AppData\Local\Temp\rundll32 .exe"
                    3⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4200
                    • C:\Windows\Temp\svchost.exe
                      C:\Windows\Temp\svchost.exe
                      4⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:336
                    • C:\Windows\Temp\svchost.exe
                      C:\Windows\Temp\svchost.exe
                      4⤵
                        PID:932
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 1.1.1.1 -n 1 -w 3000
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:3020
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkZCNkU4NjAtOEEwRS00RTgyLUJCMDUtMTI0QURGRjFCMkU2fSIgdXNlcmlkPSJ7NDhGRjlFQTgtODVBMi00NjFELUEwNTUtNjBFRDY1MjUzQzRFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDJENkU3NkEtRkEzRS00NjA0LTk4MzctNjYyQUI0QjA5MzZDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjc2NDUwNjI0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                  1⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  PID:3772

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rundll32 .exe.log

                  Filesize

                  588B

                  MD5

                  bbc3cfe1a58732a0477f72ea3d36c7bf

                  SHA1

                  fb801263330aa243f63270138ab467a627dffc2e

                  SHA256

                  9269d4383b8effa928b7b4a7b38ffa07587b23851f9430fbfe8e7284f845e722

                  SHA512

                  5bfdc6520a7a0884e3ccdf26ab0fe536327c9f3330f7f78bed2ed4c89fc31b04ad0c4b4bd6f8f1bca08ef04e46b833b798726dca7f40ccc27c871847ec041be4

                • C:\Users\Admin\AppData\Local\Temp\caca.bat

                  Filesize

                  47B

                  MD5

                  58ccb87aa1da4939df403810f1e68b6b

                  SHA1

                  dc8551f41682e5cb1dd25af3f11a789b1d37b295

                  SHA256

                  eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

                  SHA512

                  17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

                • C:\Users\Admin\AppData\Local\Temp\caca2.bat

                  Filesize

                  151B

                  MD5

                  ed28c618f7d8306e3736432b58bb5d27

                  SHA1

                  441e6dab70e31d9c599fcd9e2d32009038781b42

                  SHA256

                  d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3

                  SHA512

                  4257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880

                • C:\Users\Admin\AppData\Local\Temp\invs.vbs

                  Filesize

                  78B

                  MD5

                  c578d9653b22800c3eb6b6a51219bbb8

                  SHA1

                  a97aa251901bbe179a48dbc7a0c1872e163b1f2d

                  SHA256

                  20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

                  SHA512

                  3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

                • C:\Users\Admin\AppData\Local\Temp\per.bat

                  Filesize

                  111B

                  MD5

                  851c0e754a2e3663cbfdc09777323516

                  SHA1

                  e9f67ac8c5d22c5c47b71d2a51b6aa5076b9287a

                  SHA256

                  b97c58636ccaa18444a0e317e5a8b8112147e5c5a53777085f035779648c7eeb

                  SHA512

                  2efde32aad3b7278f6ea2bd8a688fe30ce75b2914b59dba87b2999dc199ae4a63c0dc08f476096807e2ecd96d4f860ebf988b420c68536accc038b22a7e738d0

                • C:\Users\Admin\AppData\Local\Temp\rundll32 .exe

                  Filesize

                  784KB

                  MD5

                  f556539439da85b1bfb46dc17444349c

                  SHA1

                  c805585d22c592adca4b35ec0ddcce0b1156836b

                  SHA256

                  44a8a3928c9f10f6b19bed527d7ce020db4f3a8efa635e5ef77ffca47ebfdfaa

                  SHA512

                  bfeebc9f6fcfd1e830eba4a74587ecde805abcef8d41865e603151ee6f81bce7b2dd1af28036bdec548f49ea2039dde1bd1988a88bf6564a26afc9db6c9fd832

                • C:\Windows\Temp\svchost.exe

                  Filesize

                  1.1MB

                  MD5

                  d881de17aa8f2e2c08cbb7b265f928f9

                  SHA1

                  08936aebc87decf0af6e8eada191062b5e65ac2a

                  SHA256

                  b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

                  SHA512

                  5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

                • memory/336-120-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/1704-94-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2004-107-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-72-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-108-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-35-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-20-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-42-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-121-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-97-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-19-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-55-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-56-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-122-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-83-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2580-69-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/2932-82-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/3108-68-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/3640-0-0x0000000074672000-0x0000000074673000-memory.dmp

                  Filesize

                  4KB

                • memory/3640-41-0x0000000074670000-0x0000000074C21000-memory.dmp

                  Filesize

                  5.7MB

                • memory/3640-34-0x0000000074670000-0x0000000074C21000-memory.dmp

                  Filesize

                  5.7MB

                • memory/3640-33-0x0000000074672000-0x0000000074673000-memory.dmp

                  Filesize

                  4KB

                • memory/3640-2-0x0000000074670000-0x0000000074C21000-memory.dmp

                  Filesize

                  5.7MB

                • memory/3640-1-0x0000000074670000-0x0000000074C21000-memory.dmp

                  Filesize

                  5.7MB

                • memory/5076-53-0x0000000000400000-0x0000000000470000-memory.dmp

                  Filesize

                  448KB

                • memory/5076-52-0x0000000000470000-0x0000000000539000-memory.dmp

                  Filesize

                  804KB