Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 19:21

General

  • Target

    e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe

  • Size

    947KB

  • MD5

    e5ac6f9f85c0e55f0d164afa56a45890

  • SHA1

    06f0eccf410176d514b86b02f602699d58d56b5a

  • SHA256

    f173cd6a86e6aaf1ebaddd4e14b8933516246d1bb320ddbe7c221895bb9281b6

  • SHA512

    7d067b3a1f13057588c6cbb751b9ce16fd4d444af130780d9ade2ded97ba43160a0bdf70eae33459483d73e737f8e99f096053b8b7213192ef08c5bbb3f2a075

  • SSDEEP

    12288:O1UVGInYjg53VLFvth+w7GodQpbelTw4cMb9eQ1kPHSlFi48soHo:O1UVGInYj6vv/Nv+kTJ9kQ1SyLoH

Malware Config

Signatures

  • Detect ZGRat V1 33 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4596
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3300
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4924
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5568
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2796
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1964
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5112
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4360
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5724
    • C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • outlook_office_path
      • outlook_win_path
      PID:5052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    0774a05ce5ee4c1af7097353c9296c62

    SHA1

    658ff96b111c21c39d7ad5f510fb72f9762114bb

    SHA256

    d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

    SHA512

    104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    20KB

    MD5

    4a86614eff96e1dce6cf80d4aa2fe6cb

    SHA1

    30a595c7289a1d9993069babca6d45297849589f

    SHA256

    ac28dc2d4add74af332d7685315bd80fb3f0c7aed0ececc3af3f3b7943051a03

    SHA512

    304846309b3815dbb5be8100e1384a058160cf7a0bf70c64ecc04ddbf569831df75788d176b8109ac9e7a7fcab25c57860fa4b43d3430a1ada6ae6bebf451115

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    c9e381c2ea62fd0d99ddc8811747aa6b

    SHA1

    990bf235b09e469222452d013f36b398623fc808

    SHA256

    71cc857219a854f17e5ed9d136c622c91c9d3d215db03500aa10ce3c2bbe091a

    SHA512

    fc28a18115bf26e566723483ad30971a2d2f626115d1851178bd2cf099ebdd4b439b0084ff1e128f6685fb58d090340928883ec45254eb44bae81682cd32d15d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    e705eeecfa47334eae07762ca0bd745c

    SHA1

    7592483b5ec123718f489aba7f1eec38f26a09be

    SHA256

    6a2cbf6a197f0c647155445748d65ba459bda5643193c3645cc597281502e919

    SHA512

    2a0253e95f0c06ae714295c8576e8475a262399610fd535d325484e64dae52612b6cd631a43e5114577a1bdd81306b94644991c4bc95281dfbf7c4602cfa1bc1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    20KB

    MD5

    052afd729e3ade04a74b40c992b9faa2

    SHA1

    d102b02b580eb55dbba12d46be17fe8751f474f4

    SHA256

    04470335d2e4421304c2855af53594bfc3ed29b1433e13b5def47eba8b7f80b5

    SHA512

    346b7e013fff7ca90e5a679567d58dd77d1c9b2605ffc3ec06a8c76773cfc3337bc65e1401922ac08c9281c67eb7af4dcdaa6d41bdf9feb08fd92d78e64e74c1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    40711b5578ceeb33e67aa16d735beafe

    SHA1

    3fc84b1e4f7dd9f374b295eed43d36b0d69bf934

    SHA256

    5b1f0359970f13ee055be281cb1cc2ca91249ce871477fa9ccfffde9446c437b

    SHA512

    c18bc0997593d29d29593687ef5e5cfcb5e79500c8e4c17423a9b97e6166794bdc3f6b9b14e4dc04ac1286a7eb2e0843980c6409f64e4dd7461a6dbf7c7e9cf7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    20KB

    MD5

    e6cab0fc4084e2777aa79d2ef3ba4e2e

    SHA1

    9c44779c71290ce73f97b7d59deb884bc017f4b1

    SHA256

    040743ac9d0bb5f608a65d686843ebae99744cbce1d4952efa2caa1ce543fd1d

    SHA512

    47a90e2d864297c871a2a14679ae355dbdd840b9174d1a490c7b53bdfd7dc76cf8d1d344628dff74ecf52768ff50084cad85917e2c1a3265a5515d231ec182f1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    3d31fb6fd19983effb8c20582ab2b113

    SHA1

    7ec20793c205f84e8fdf642f46a435b04496f8c9

    SHA256

    712791ad83a07ffe320229e85215eada5bd946ceadcc3b2f412b042a9df04d4d

    SHA512

    af531d543676ada558bfc71cade1319e3ae38efdfc2f51eb2a50ec3f2b28f8c43ff9f01358defd039ecce2be5be71221361e860c84c64e3f1a7bc51cccd0f4bd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    20KB

    MD5

    5cc3ab93f8226b33ff024aaeeea340e8

    SHA1

    f88f007e9f2636abf699ad94cb4dd3a40e644248

    SHA256

    25b550daf26a81e417b1bf09b4980b917169778afb8c262d45b8a8480de167ef

    SHA512

    2420548f3feeb95a0e41dcb07d8c97ab56531ba5c864fc29a82adf9c020414e1aa3ce054c39134112d100ff10e329fc446d565b540bfada55652063aac3f10d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    01df767c4b8baa3303c8a7a6d1be52e6

    SHA1

    173ecec865fcbc23d8a66a7162464b545f1b880d

    SHA256

    667d6f490736d03b1b8895ddc92feecc6022e3385da97f4782c18034ddee7c3f

    SHA512

    1385cf772f8fa07980a5475a998470638b9a9d48ee91ce5d99d0186a154c806cfa123fc9a9b34fc34b5a0ad68a40e049d188516bf1445bb98c58721c04341ecf

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    446f94627280ef58ecb75e196efebfe2

    SHA1

    6ad40707c91cc4d27207f50ccba84219aae1b655

    SHA256

    02f1e147baa61c9beb15fd2df4cb8158c44099bd130ae981b4ca46e0e649114e

    SHA512

    cf5e8438995a7ad1e4688027eac38faafb9d49746b64be703f87d084d2e7140364ea0cda575ee38fecc02b75b8e7ab1269d472700428f7e36c2e440d95be9104

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    f1d55a85fae52e122bfa26132839be01

    SHA1

    ac3c60117134736e34418f5ff514235a1be83dd8

    SHA256

    ab1ec8854fc718ac871ab4633b90c8746b1fd9590b2a1ad30c8960881d6c0ea6

    SHA512

    f153f546d2b88514ab2c5ebc61b6b03a695dc17de57bc23353a9769af6b9827b1672c2b7e76497c2d99a3a23c8939598ec9cbb7647297014510c4ef7a60c47f8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    20KB

    MD5

    ff004e67f4aaa0cec3d77e62d046cd80

    SHA1

    aad2787ce4074dce1633ce845ebb2c7e225d0e74

    SHA256

    c3f4d3ac595376d930d31b377987a408b63ba01a2fc684bcc8cd78cf31b4edf8

    SHA512

    13b9c789b94999e8a5071d90a9ad8366b44fbc55f58fecc60a7e07fcdb23c9d799cd0b4d48c146bb1de6e5f5e53f848d46711bb42e7bf087bbb5c7a6f80b3870

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    dfb365dc3d78ccae5fb81ddd39e028c9

    SHA1

    96439ec931581ed3530eadb07e1b75d66018aa1e

    SHA256

    10cb4adc19ad03031254033ce4d939bc7228fe12afd0d8ef1f86d96f10a4fff9

    SHA512

    79b1091278e5c176c3ee80a25fd226e25ca6f94b95c7a2846fbd4eb7e53f9119c5374d37fa93b6d99e36358470fec4fa309ff9438092fafc8b050601e95d2398

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    20KB

    MD5

    74c3e05f167c617ecc87c4491e37ce80

    SHA1

    3340cc3fcc84819f5a8815bf207037251b161584

    SHA256

    4a063a8cc0aaeab204d3358c3b1a942126e64e7d17599c9ebc17ec66b340b072

    SHA512

    31751f33c5c5140940f53a02b88c6fd1698e5085b29b150996428783d86367e5f434ab3b4aab1d40f4ee547c0f7d743eea25a39595ea646a56a229c5246ed929

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aveafxkp.g32.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1964-113-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/1964-115-0x0000000002430000-0x0000000002440000-memory.dmp

    Filesize

    64KB

  • memory/1964-114-0x0000000002430000-0x0000000002440000-memory.dmp

    Filesize

    64KB

  • memory/1964-127-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/2756-48-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/2756-294-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-296-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-298-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-300-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-292-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-268-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-284-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-274-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-1-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/2756-49-0x0000000005440000-0x0000000005450000-memory.dmp

    Filesize

    64KB

  • memory/2756-278-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-282-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-280-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-276-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-270-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-272-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-266-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-264-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-260-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-262-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-258-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-256-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-304-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-308-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-306-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-254-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-252-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-250-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-248-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-246-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-245-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-0-0x00000000006D0000-0x00000000007C2000-memory.dmp

    Filesize

    968KB

  • memory/2756-2-0x0000000005820000-0x0000000005DC4000-memory.dmp

    Filesize

    5.6MB

  • memory/2756-3-0x0000000005180000-0x0000000005212000-memory.dmp

    Filesize

    584KB

  • memory/2756-4-0x0000000005440000-0x0000000005450000-memory.dmp

    Filesize

    64KB

  • memory/2756-5-0x0000000005230000-0x000000000523A000-memory.dmp

    Filesize

    40KB

  • memory/2756-290-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-6-0x0000000005270000-0x00000000052C6000-memory.dmp

    Filesize

    344KB

  • memory/2756-288-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-286-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2756-302-0x0000000001080000-0x00000000010F6000-memory.dmp

    Filesize

    472KB

  • memory/2796-98-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/2796-112-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/2796-100-0x0000000005310000-0x0000000005320000-memory.dmp

    Filesize

    64KB

  • memory/2796-99-0x0000000005310000-0x0000000005320000-memory.dmp

    Filesize

    64KB

  • memory/3244-52-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/3244-54-0x00000000052E0000-0x00000000052F0000-memory.dmp

    Filesize

    64KB

  • memory/3244-53-0x00000000052E0000-0x00000000052F0000-memory.dmp

    Filesize

    64KB

  • memory/3244-60-0x0000000006030000-0x0000000006384000-memory.dmp

    Filesize

    3.3MB

  • memory/3244-67-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/3300-35-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/3300-36-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

  • memory/3300-46-0x0000000005A40000-0x0000000005D94000-memory.dmp

    Filesize

    3.3MB

  • memory/3300-51-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4032-171-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4032-185-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4032-172-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

  • memory/4032-173-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

  • memory/4348-141-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4348-129-0x0000000004870000-0x0000000004880000-memory.dmp

    Filesize

    64KB

  • memory/4348-128-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4596-30-0x0000000007F40000-0x00000000085BA000-memory.dmp

    Filesize

    6.5MB

  • memory/4596-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4596-7-0x00000000023C0000-0x00000000023F6000-memory.dmp

    Filesize

    216KB

  • memory/4596-24-0x0000000005800000-0x0000000005B54000-memory.dmp

    Filesize

    3.3MB

  • memory/4596-28-0x00000000061A0000-0x00000000061BA000-memory.dmp

    Filesize

    104KB

  • memory/4596-25-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

    Filesize

    120KB

  • memory/4596-11-0x0000000004940000-0x0000000004950000-memory.dmp

    Filesize

    64KB

  • memory/4596-33-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4596-9-0x0000000004940000-0x0000000004950000-memory.dmp

    Filesize

    64KB

  • memory/4596-27-0x0000000006220000-0x00000000062B6000-memory.dmp

    Filesize

    600KB

  • memory/4596-26-0x0000000005D10000-0x0000000005D5C000-memory.dmp

    Filesize

    304KB

  • memory/4596-14-0x0000000005690000-0x00000000056F6000-memory.dmp

    Filesize

    408KB

  • memory/4596-10-0x0000000004F80000-0x00000000055A8000-memory.dmp

    Filesize

    6.2MB

  • memory/4596-13-0x0000000005620000-0x0000000005686000-memory.dmp

    Filesize

    408KB

  • memory/4596-12-0x0000000004D20000-0x0000000004D42000-memory.dmp

    Filesize

    136KB

  • memory/4596-29-0x00000000061F0000-0x0000000006212000-memory.dmp

    Filesize

    136KB

  • memory/4924-68-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4924-69-0x0000000002950000-0x0000000002960000-memory.dmp

    Filesize

    64KB

  • memory/4924-79-0x00000000059F0000-0x0000000005D44000-memory.dmp

    Filesize

    3.3MB

  • memory/4924-82-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/5112-155-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/5112-142-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/5112-143-0x00000000047E0000-0x00000000047F0000-memory.dmp

    Filesize

    64KB

  • memory/5336-158-0x00000000021D0000-0x00000000021E0000-memory.dmp

    Filesize

    64KB

  • memory/5336-170-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/5336-157-0x00000000021D0000-0x00000000021E0000-memory.dmp

    Filesize

    64KB

  • memory/5336-156-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/5568-97-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB

  • memory/5568-85-0x00000000009B0000-0x00000000009C0000-memory.dmp

    Filesize

    64KB

  • memory/5568-84-0x00000000009B0000-0x00000000009C0000-memory.dmp

    Filesize

    64KB

  • memory/5568-83-0x0000000074D10000-0x00000000754C0000-memory.dmp

    Filesize

    7.7MB