blackshades | 8b4ba0001ecedff27c9ce77a5fea7252caaf2b511c78e64afc62f79f010c79c7

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe
Size

517KB
MD5

3671211d6cbd5f470e4cc32d03a7b730
SHA1

54ef4c7cfdb75597f93fd0d9e46e4daef597eb95
SHA256

8b4ba0001ecedff27c9ce77a5fea7252caaf2b511c78e64afc62f79f010c79c7
SHA512

86c4c57501c0bf41ebb09703e46c6e0ca63af7503088a57f9e1d3d62bc0350bc9ba6ded6e50368d0d1c547ce3c2bae49d50e795430db873d35baa707fa21e7ed
SSDEEP

12288:cx/hxpKAjH9ImwKNbHDf42j4Mb1TuilTS1rhqdcn4No:cxIG5/TDf42jTZ3v

Score

10^/10

blackshades defense_evasion discovery rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 2 IoCs

resource	yara_rule
behavioral2/memory/4028-7-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/4028-9-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Mar16ABirds.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Mar16ABirds.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	ScCore.exe

Executes dropped EXE 2 IoCs

pid	Process
4372	ScCore.exe
2612	IEShims.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 2612 set thread context of 3772	2612	IEShims.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEShims.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScCore.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2060	reg.exe
4752	reg.exe
1264	reg.exe
2340	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe
4372	ScCore.exe
2612	IEShims.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe
2612	IEShims.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe
4372	ScCore.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe
Token: 1	4028	AppLaunch.exe
Token: SeCreateTokenPrivilege	4028	AppLaunch.exe
Token: SeAssignPrimaryTokenPrivilege	4028	AppLaunch.exe
Token: SeLockMemoryPrivilege	4028	AppLaunch.exe
Token: SeIncreaseQuotaPrivilege	4028	AppLaunch.exe
Token: SeMachineAccountPrivilege	4028	AppLaunch.exe
Token: SeTcbPrivilege	4028	AppLaunch.exe
Token: SeSecurityPrivilege	4028	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	4028	AppLaunch.exe
Token: SeLoadDriverPrivilege	4028	AppLaunch.exe
Token: SeSystemProfilePrivilege	4028	AppLaunch.exe
Token: SeSystemtimePrivilege	4028	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	4028	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	4028	AppLaunch.exe
Token: SeCreatePagefilePrivilege	4028	AppLaunch.exe
Token: SeCreatePermanentPrivilege	4028	AppLaunch.exe
Token: SeBackupPrivilege	4028	AppLaunch.exe
Token: SeRestorePrivilege	4028	AppLaunch.exe
Token: SeShutdownPrivilege	4028	AppLaunch.exe
Token: SeDebugPrivilege	4028	AppLaunch.exe
Token: SeAuditPrivilege	4028	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	4028	AppLaunch.exe
Token: SeChangeNotifyPrivilege	4028	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	4028	AppLaunch.exe
Token: SeUndockPrivilege	4028	AppLaunch.exe
Token: SeSyncAgentPrivilege	4028	AppLaunch.exe
Token: SeEnableDelegationPrivilege	4028	AppLaunch.exe
Token: SeManageVolumePrivilege	4028	AppLaunch.exe
Token: SeImpersonatePrivilege	4028	AppLaunch.exe
Token: SeCreateGlobalPrivilege	4028	AppLaunch.exe
Token: 31	4028	AppLaunch.exe
Token: 32	4028	AppLaunch.exe
Token: 33	4028	AppLaunch.exe
Token: 34	4028	AppLaunch.exe
Token: 35	4028	AppLaunch.exe
Token: SeDebugPrivilege	4372	ScCore.exe
Token: SeDebugPrivilege	2612	IEShims.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4028	AppLaunch.exe
4028	AppLaunch.exe
4028	AppLaunch.exe
3772	AppLaunch.exe
3772	AppLaunch.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 3588 wrote to memory of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 3588 wrote to memory of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 3588 wrote to memory of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 3588 wrote to memory of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 3588 wrote to memory of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 3588 wrote to memory of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 3588 wrote to memory of 4028	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	90
PID 4028 wrote to memory of 4716	4028	AppLaunch.exe	91
PID 4028 wrote to memory of 4716	4028	AppLaunch.exe	91
PID 4028 wrote to memory of 4716	4028	AppLaunch.exe	91
PID 4028 wrote to memory of 1532	4028	AppLaunch.exe	92
PID 4028 wrote to memory of 1532	4028	AppLaunch.exe	92
PID 4028 wrote to memory of 1532	4028	AppLaunch.exe	92
PID 4028 wrote to memory of 4980	4028	AppLaunch.exe	93
PID 4028 wrote to memory of 4980	4028	AppLaunch.exe	93
PID 4028 wrote to memory of 4980	4028	AppLaunch.exe	93
PID 4028 wrote to memory of 1168	4028	AppLaunch.exe	94
PID 4028 wrote to memory of 1168	4028	AppLaunch.exe	94
PID 4028 wrote to memory of 1168	4028	AppLaunch.exe	94
PID 4716 wrote to memory of 4752	4716	cmd.exe	99
PID 4716 wrote to memory of 4752	4716	cmd.exe	99
PID 4716 wrote to memory of 4752	4716	cmd.exe	99
PID 1532 wrote to memory of 1264	1532	cmd.exe	100
PID 1532 wrote to memory of 1264	1532	cmd.exe	100
PID 1532 wrote to memory of 1264	1532	cmd.exe	100
PID 4980 wrote to memory of 2340	4980	cmd.exe	101
PID 4980 wrote to memory of 2340	4980	cmd.exe	101
PID 4980 wrote to memory of 2340	4980	cmd.exe	101
PID 1168 wrote to memory of 2060	1168	cmd.exe	102
PID 1168 wrote to memory of 2060	1168	cmd.exe	102
PID 1168 wrote to memory of 2060	1168	cmd.exe	102
PID 3588 wrote to memory of 4372	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	103
PID 3588 wrote to memory of 4372	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	103
PID 3588 wrote to memory of 4372	3588	JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe	103
PID 4372 wrote to memory of 2612	4372	ScCore.exe	104
PID 4372 wrote to memory of 2612	4372	ScCore.exe	104
PID 4372 wrote to memory of 2612	4372	ScCore.exe	104
PID 2612 wrote to memory of 3772	2612	IEShims.exe	105
PID 2612 wrote to memory of 3772	2612	IEShims.exe	105
PID 2612 wrote to memory of 3772	2612	IEShims.exe	105
PID 2612 wrote to memory of 3772	2612	IEShims.exe	105
PID 2612 wrote to memory of 3772	2612	IEShims.exe	105
PID 2612 wrote to memory of 3772	2612	IEShims.exe	105
PID 2612 wrote to memory of 3772	2612	IEShims.exe	105
PID 2612 wrote to memory of 3772	2612	IEShims.exe	105

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3671211d6cbd5f470e4cc32d03a7b730.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Mar16ABirds.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Mar16ABirds.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Mar16ABirds.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Mar16ABirds.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ScCore.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ScCore.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\IEShims.exe
    "C:\Users\Admin\AppData\Local\Temp\IEShims.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IEShims.exe

Filesize
517KB

MD5
3671211d6cbd5f470e4cc32d03a7b730

SHA1
54ef4c7cfdb75597f93fd0d9e46e4daef597eb95

SHA256
8b4ba0001ecedff27c9ce77a5fea7252caaf2b511c78e64afc62f79f010c79c7

SHA512
86c4c57501c0bf41ebb09703e46c6e0ca63af7503088a57f9e1d3d62bc0350bc9ba6ded6e50368d0d1c547ce3c2bae49d50e795430db873d35baa707fa21e7ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ScCore.exe

Filesize
6KB

MD5
fa04679f88ed341ca02a7ecf899e7b98

SHA1
a87211346dd0f8e42429122f7069b2d1820ba9d4

SHA256
dff69e6b88bac94e9660a49a0f1deff2598675f19396ee26cea8582eabdfc5e3

SHA512
118a41a248717066a3ac386a75bdf2ea5cdcc7cae6d58793dca6567a57fa88ca1da4f4ec37948d6bf73d5ba03f4b6066d6cf8922ce85674bdbe0c9996b855e52

Download Submit
memory/3588-0-0x0000000074942000-0x0000000074943000-memory.dmp

Filesize
4KB

Download
memory/3588-1-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/3588-2-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/3588-33-0x0000000074942000-0x0000000074943000-memory.dmp

Filesize
4KB

Download
memory/3588-34-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/4028-7-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4028-9-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download