13b74b7ca4091d1cdb7b20592c948e6bdab75c888eb0d12ee1f5ffdbe31b25c5

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 16:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Size

603KB
MD5

eddc25a649b2f0d76959caccd6c1a8a5
SHA1

2fc23cb063507be7a70ce0e1d6a69258beec498c
SHA256

13b74b7ca4091d1cdb7b20592c948e6bdab75c888eb0d12ee1f5ffdbe31b25c5
SHA512

65abd9a05395ece43a8087c040e7e5698f196b01681787012e6307c2dc231b1fcf347f9c61086ea6ce1d340b3eb9e1838e7c97b6aad34bb1d2ba774bc223cd7a
SSDEEP

12288:5uuLXm8bJoafouHtstuiIkET4Hypk65Sqa5+Khn94WO0BAfteZ6LYDDKX5rwk2Gd:nTm8byafoIsRDET35vPfrqDKX5rg6

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1608	durio.exe
1532	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8B55598B-08B0-6D5B-4ACD-9423E1F3CC4C} = "C:\\Users\\Admin\\AppData\\Roaming\\Imtape\\durio.exe"	durio.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1248 set thread context of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Privacy	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\69CD3A51-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe
1608	durio.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: 33	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2868	WinMail.exe
Token: SeSecurityPrivilege	1532	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	WinMail.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1608	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	28
PID 1248 wrote to memory of 1608	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	28
PID 1248 wrote to memory of 1608	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	28
PID 1248 wrote to memory of 1608	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	28
PID 1608 wrote to memory of 1212	1608	durio.exe	19
PID 1608 wrote to memory of 1212	1608	durio.exe	19
PID 1608 wrote to memory of 1212	1608	durio.exe	19
PID 1608 wrote to memory of 1212	1608	durio.exe	19
PID 1608 wrote to memory of 1212	1608	durio.exe	19
PID 1608 wrote to memory of 1276	1608	durio.exe	20
PID 1608 wrote to memory of 1276	1608	durio.exe	20
PID 1608 wrote to memory of 1276	1608	durio.exe	20
PID 1608 wrote to memory of 1276	1608	durio.exe	20
PID 1608 wrote to memory of 1276	1608	durio.exe	20
PID 1608 wrote to memory of 1336	1608	durio.exe	21
PID 1608 wrote to memory of 1336	1608	durio.exe	21
PID 1608 wrote to memory of 1336	1608	durio.exe	21
PID 1608 wrote to memory of 1336	1608	durio.exe	21
PID 1608 wrote to memory of 1336	1608	durio.exe	21
PID 1608 wrote to memory of 1248	1608	durio.exe	27
PID 1608 wrote to memory of 1248	1608	durio.exe	27
PID 1608 wrote to memory of 1248	1608	durio.exe	27
PID 1608 wrote to memory of 1248	1608	durio.exe	27
PID 1608 wrote to memory of 1248	1608	durio.exe	27
PID 1608 wrote to memory of 2868	1608	durio.exe	29
PID 1608 wrote to memory of 2868	1608	durio.exe	29
PID 1608 wrote to memory of 2868	1608	durio.exe	29
PID 1608 wrote to memory of 2868	1608	durio.exe	29
PID 1608 wrote to memory of 2868	1608	durio.exe	29
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1248 wrote to memory of 1532	1248	eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe	30
PID 1608 wrote to memory of 320	1608	durio.exe	32
PID 1608 wrote to memory of 320	1608	durio.exe	32
PID 1608 wrote to memory of 320	1608	durio.exe	32
PID 1608 wrote to memory of 320	1608	durio.exe	32
PID 1608 wrote to memory of 320	1608	durio.exe	32
PID 1608 wrote to memory of 2924	1608	durio.exe	33
PID 1608 wrote to memory of 2924	1608	durio.exe	33
PID 1608 wrote to memory of 2924	1608	durio.exe	33
PID 1608 wrote to memory of 2924	1608	durio.exe	33
PID 1608 wrote to memory of 2924	1608	durio.exe	33
PID 1608 wrote to memory of 2716	1608	durio.exe	34
PID 1608 wrote to memory of 2716	1608	durio.exe	34
PID 1608 wrote to memory of 2716	1608	durio.exe	34
PID 1608 wrote to memory of 2716	1608	durio.exe	34
PID 1608 wrote to memory of 2716	1608	durio.exe	34
PID 1608 wrote to memory of 2440	1608	durio.exe	37
PID 1608 wrote to memory of 2440	1608	durio.exe	37
PID 1608 wrote to memory of 2440	1608	durio.exe	37
PID 1608 wrote to memory of 2440	1608	durio.exe	37
PID 1608 wrote to memory of 2440	1608	durio.exe	37
PID 1608 wrote to memory of 2888	1608	durio.exe	38
PID 1608 wrote to memory of 2888	1608	durio.exe	38
PID 1608 wrote to memory of 2888	1608	durio.exe	38
PID 1608 wrote to memory of 2888	1608	durio.exe	38
PID 1608 wrote to memory of 2888	1608	durio.exe	38

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1212

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eddc25a649b2f0d76959caccd6c1a8a5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.10.01T15.53\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.01T15.51\Native\STUBEXE\@APPDATA@\Imtape\durio.exe
    "C:\Users\Admin\AppData\Roaming\Imtape\durio.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1608
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.10.01T15.53\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.01T15.51\Native\STUBEXE\@SYSTEM@\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd14a9cf6.bat"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1532

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2440

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
e1b32eb793ef2d6dbd54e6a7734ad1ee

SHA1
ecaa7f5cf5b286a5e88dc653a8e8294d0021ace3

SHA256
30269855bc887ef938734545421056ebcec21035551e44ae0041dcce9513c672

SHA512
aea85b6aed1befa858501baba730f51c20dc5c1d9821b21eb4da91331ec3fd42f86eb45c8fdffcea00f78c7ff16d73a19ff2870eb250e444cd1f1155b57ea3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpd14a9cf6.bat

Filesize
161B

MD5
31e30af9fe84b27324687b5a1092f0de

SHA1
b86d61ffcbf3f30da9507990db6f00ee566bc1df

SHA256
59f5376ce64317f1c91a3d3ba8beab4435a4ef43276c4d7f786044b4e92314aa

SHA512
c9170798ee13dd5704347d9e60a69a96e576814c213ea85d10ee9d9a041ff515b0f6a892b107829f69ca89c2450f59ac5942150ddbe59c16134980fad69f7620

Download Submit
C:\Users\Admin\AppData\Roaming\Iflo\bexeo.rir

Filesize
325B

MD5
5794310d06df8c29205c5dbf80f0dfda

SHA1
d5d5dc51224c1d2a45bf340c4b0acc2d7658e65b

SHA256
d1eba8ea3e8530358e0502eb7e063bc7588c146eea40885ad2db5b5f02394c0b

SHA512
981d06497a8fe00712ebe1466cb9c0bfcd460c44ea009ce1088d9a59ac023f6e3e2990ac89753a5fc4e4503404b4dbc7e91dc0214490b2ffe358be344df149ea

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.10.01T15.53\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.01T15.51\Native\STUBEXE\@APPDATA@\Imtape\durio.exe

Filesize
16KB

MD5
f8cce100b3b4a562a10da59fb416754e

SHA1
55e2f3a276b2466bc89db1a2c3f30782502454ab

SHA256
68d1e61989de24dc8e051379fb371f74aa6cbbcb0c3896a3542bd24e3d125649

SHA512
0cdadc5dae7e69ce0470f50d471e6850f99734747e09734b9e7c05b45a43c36b58793f8ffca2c06df47a620bf1afa9c14c4b250f491868a8c14e146d98de8963

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.10.01T15.53\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.01T15.51\Native\STUBEXE\@SYSTEM@\cmd.exe

Filesize
16KB

MD5
43cf6d53eb497a3b345bc559ad6c1e5d

SHA1
a8db71511cac5293300982576a3d154758b8e295

SHA256
c5d6f582285d9b3bb7c90a3ddcb2885311f0958658272b64c193deca020ec05a

SHA512
cc60880b1a0946e6b2c60fbf0d52036a32f95844bca0e38362e0cb6415afa67aa83d764b30874636875ca07d6bde4a2e432c2dcc6524879cc0a3720cb95b79ab

Download Submit
\Users\Admin\AppData\Roaming\Imtape\durio.exe

Filesize
138KB

MD5
71236d1dbe96f898b194c20856dce83b

SHA1
8449c63157b0903fe72c777e3216f7d1d1bdb568

SHA256
86b609ebc1942d157f1334f42103a606c48e86cc7612caf648748c0be1ac1862

SHA512
a5579dec2a9f4cbda94914dfdfac2520722d9c734798af5c542d710f485724bd58aec6097e1edb809b3e0c68af748b7dd8aaa131038c8a7a2869637271e2de87

Download Submit
memory/1248-13-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-78-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-10-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-12-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-15-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-17-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-19-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-26-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-28-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-30-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-33-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-35-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-37-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-40-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-44-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-47-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-50-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-52-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-55-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-61-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-63-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-70-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-75-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-150-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-77-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-80-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-73-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-72-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-68-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-66-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-65-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-59-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-58-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-54-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-49-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-46-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-42-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-39-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-32-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-24-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-22-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-21-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-6-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-81-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-120-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-130-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-8-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-135-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-241-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-129-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-183-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-188-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-195-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-201-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-187-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-214-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-212-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/1248-182-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-222-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-226-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-235-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-149-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-256-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-257-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-281-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-308-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-313-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-317-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-320-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1248-324-0x00000000004A0000-0x00000000004FB000-memory.dmp

Filesize
364KB

Download
memory/1248-609-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-610-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1248-614-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-615-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-655-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1248-657-0x00000000004A0000-0x00000000004FB000-memory.dmp

Filesize
364KB

Download
memory/1248-0-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-1-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1248-3-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-624-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-636-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-643-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-659-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-661-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-682-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-674-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-634-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-688-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-628-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-626-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-678-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1608-690-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download