f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe
Size

5.3MB
MD5

7ceb3e676313c920a35ad525ce9b9fe7
SHA1

24a6f335e885bc0bafd8129b7fa13dce4aabb430
SHA256

f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32
SHA512

f0e1df942ffe51a777745a0ebd8e62a87b9952ffcc6eb4c1b48fa6bfa783076e7e46203f7a0425893a953e205f4d23d8cd86c205c7a5dc018df5045c5a8e4963
SSDEEP

98304:GBze+DWzwgfjGmMdivlucHq81K0U4DzRtNCC6rYOALRiNKpRyE3Rb1:4ze9cidud8pUSzpXOALRi4pT91

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects BazaLoader malware 12 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral1/memory/1972-0-0x0000000140000000-0x0000000140647000-memory.dmp	BazaLoader
behavioral1/files/0x000b000000016176-30.dat	BazaLoader
behavioral1/memory/3016-34-0x0000000140000000-0x0000000140647000-memory.dmp	BazaLoader
behavioral1/memory/1972-35-0x0000000140000000-0x0000000140647000-memory.dmp	BazaLoader
behavioral1/memory/3016-113-0x0000000140000000-0x0000000140647000-memory.dmp	BazaLoader
behavioral1/memory/2796-114-0x0000000140000000-0x000000014015E400-memory.dmp	BazaLoader
behavioral1/memory/2796-115-0x0000000140000000-0x000000014015E400-memory.dmp	BazaLoader
behavioral1/memory/2796-116-0x0000000140000000-0x000000014015E400-memory.dmp	BazaLoader
behavioral1/memory/2796-117-0x0000000140000000-0x000000014015E400-memory.dmp	BazaLoader
behavioral1/memory/2500-155-0x0000000140000000-0x000000014015E400-memory.dmp	BazaLoader
behavioral1/memory/2796-156-0x0000000140000000-0x000000014015E400-memory.dmp	BazaLoader
behavioral1/memory/2500-157-0x0000000140000000-0x000000014015E400-memory.dmp	BazaLoader

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1584	netsh.exe
2088	netsh.exe
2648	netsh.exe
2556	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
3016	svchost.exe
2796	~tl9914.tmp
2500	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe
1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe
3016	svchost.exe
3016	svchost.exe
2796	~tl9914.tmp
2796	~tl9914.tmp

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\svchost.exe	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl9914.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl9914.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe
File created	C:\Windows\System\svchost.exe	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2752	schtasks.exe
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2572	powershell.exe
2008	powershell.exe
1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe
2688	powershell.exe
2304	powershell.exe
2796	~tl9914.tmp
2684	powershell.exe
2448	powershell.exe
2796	~tl9914.tmp
2500	svchost.exe
1664	powershell.exe
828	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2008	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2008	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2008	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2572	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2572	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2572	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2752	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2752	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2752	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	34
PID 1972 wrote to memory of 3016	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	36
PID 1972 wrote to memory of 3016	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	36
PID 1972 wrote to memory of 3016	1972	f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe	36
PID 3016 wrote to memory of 2688	3016	svchost.exe	37
PID 3016 wrote to memory of 2688	3016	svchost.exe	37
PID 3016 wrote to memory of 2688	3016	svchost.exe	37
PID 3016 wrote to memory of 2304	3016	svchost.exe	39
PID 3016 wrote to memory of 2304	3016	svchost.exe	39
PID 3016 wrote to memory of 2304	3016	svchost.exe	39
PID 3016 wrote to memory of 2796	3016	svchost.exe	44
PID 3016 wrote to memory of 2796	3016	svchost.exe	44
PID 3016 wrote to memory of 2796	3016	svchost.exe	44
PID 2796 wrote to memory of 1732	2796	~tl9914.tmp	46
PID 2796 wrote to memory of 1732	2796	~tl9914.tmp	46
PID 2796 wrote to memory of 1732	2796	~tl9914.tmp	46
PID 2796 wrote to memory of 2648	2796	~tl9914.tmp	48
PID 2796 wrote to memory of 2648	2796	~tl9914.tmp	48
PID 2796 wrote to memory of 2648	2796	~tl9914.tmp	48
PID 2796 wrote to memory of 2556	2796	~tl9914.tmp	50
PID 2796 wrote to memory of 2556	2796	~tl9914.tmp	50
PID 2796 wrote to memory of 2556	2796	~tl9914.tmp	50
PID 2796 wrote to memory of 2684	2796	~tl9914.tmp	52
PID 2796 wrote to memory of 2684	2796	~tl9914.tmp	52
PID 2796 wrote to memory of 2684	2796	~tl9914.tmp	52
PID 2796 wrote to memory of 2448	2796	~tl9914.tmp	54
PID 2796 wrote to memory of 2448	2796	~tl9914.tmp	54
PID 2796 wrote to memory of 2448	2796	~tl9914.tmp	54
PID 2796 wrote to memory of 1064	2796	~tl9914.tmp	56
PID 2796 wrote to memory of 1064	2796	~tl9914.tmp	56
PID 2796 wrote to memory of 1064	2796	~tl9914.tmp	56
PID 2796 wrote to memory of 1972	2796	~tl9914.tmp	58
PID 2796 wrote to memory of 1972	2796	~tl9914.tmp	58
PID 2796 wrote to memory of 1972	2796	~tl9914.tmp	58
PID 2796 wrote to memory of 2500	2796	~tl9914.tmp	60
PID 2796 wrote to memory of 2500	2796	~tl9914.tmp	60
PID 2796 wrote to memory of 2500	2796	~tl9914.tmp	60
PID 2500 wrote to memory of 2876	2500	svchost.exe	62
PID 2500 wrote to memory of 2876	2500	svchost.exe	62
PID 2500 wrote to memory of 2876	2500	svchost.exe	62
PID 2500 wrote to memory of 1584	2500	svchost.exe	64
PID 2500 wrote to memory of 1584	2500	svchost.exe	64
PID 2500 wrote to memory of 1584	2500	svchost.exe	64
PID 2500 wrote to memory of 2088	2500	svchost.exe	66
PID 2500 wrote to memory of 2088	2500	svchost.exe	66
PID 2500 wrote to memory of 2088	2500	svchost.exe	66
PID 2500 wrote to memory of 1664	2500	svchost.exe	68
PID 2500 wrote to memory of 1664	2500	svchost.exe	68
PID 2500 wrote to memory of 1664	2500	svchost.exe	68
PID 2500 wrote to memory of 828	2500	svchost.exe	70
PID 2500 wrote to memory of 828	2500	svchost.exe	70
PID 2500 wrote to memory of 828	2500	svchost.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:2752
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Users\Admin\AppData\Local\Temp\~tl9914.tmp
    C:\Users\Admin\AppData\Local\Temp\~tl9914.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\netsh.exe
      netsh int ipv4 set dynamicport tcp start=1025 num=64511
      4⤵
      PID:1732
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2648
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2448
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      4⤵
      PID:1064
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      4⤵
      Creates scheduled task(s)
      PID:1972
  - - C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\system32\netsh.exe
        
        netsh int ipv4 set dynamicport tcp start=1025 num=64511
        5⤵
        
        PID:2876
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1584
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c6b0c8c02a41a6db17f481a2b4dc8ca1

SHA1
d948f3e8709f9541fda71f643a48d1c4a4bc62ec

SHA256
9883644fcf38f3ade05cdaf9ba25953c41d8668ef67e0335c6c297b00d6f82c5

SHA512
e2760ee39ceceea7ad13caa3923fe600b4ac47b16b21841bf6561e55ebe9c61808c8cee4cd41ce595ffe9842aa88179a5b610065e0e60e804a046749d5448881

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efeffa7f0d81577bf9732c7116c690f1

SHA1
33443c671ecfc443822fe77f7babf770376ba833

SHA256
25c8d7fc3a800165e78e065c354807fc60eba952ec8e296aa021c2e4f7222a8c

SHA512
0cad6c4c4be271ae5d42b7074f881ea68fee54addc467b2801dab6826dc7a504d69a35d2ef3e86dc571e4ecf166b5f9f7d6e08bfb149065221ca0b39079a5428

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
82ffeea95e93986d0d585ba6b89a7690

SHA1
1bbf819111b2516fa6201b48979836ff15e86c03

SHA256
db4d7e8ce41044c18bf1c5db0d05fab76846dcf6487e4b665c03d128ff3aa196

SHA512
76d6d2371cb819468a09fdc42d25215eb23be0c7bcd60f1a84f6b1a7a59b646ba596bcd22865575a7e856b0fa48f20d7d40cd2775aab72d2ab75370d0a0ffe7c

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.8MB

MD5
05c04e3b1d1f3e0a44a1be1d9b81a748

SHA1
70859c87a31f47087b445da80e19dcd83a26ff33

SHA256
ae325e6d9faee6ce4552b01c084ea1ff6447bdcf589d6e200ce3208632743518

SHA512
9fb60290549696e332acad651947dce7ab8355a2bee0a858d19bbf8bf744ba530a3f053155aa02547da8c819bd323615d4711b4ad85a8b49ca11fa972c76257a

Download Submit
C:\Windows\System\svchost.exe

Filesize
385KB

MD5
afca213ee0321f46e8bde639ae2de3e2

SHA1
4dc7621667b7cdb544c03c4b756cd0193b9d74f9

SHA256
664200ddc8a80df3122556faae95263e64a5affe4d086982e690aec7d1bae7dc

SHA512
a075fbb1648b87768ab7973ff8ba97d658dd1f5c8b07e3ba4e535d7f318ded08aab4714eff38becf61cbc2d68cb5a6bc7011b6e7cdc2ea47ecd2d143ea7cb843

Download Submit
C:\Windows\system\svchost.exe

Filesize
5.3MB

MD5
7ceb3e676313c920a35ad525ce9b9fe7

SHA1
24a6f335e885bc0bafd8129b7fa13dce4aabb430

SHA256
f38327b8c73b8f9b205f8ac447f83c7a6b425908283bb68bf742827248dd4f32

SHA512
f0e1df942ffe51a777745a0ebd8e62a87b9952ffcc6eb4c1b48fa6bfa783076e7e46203f7a0425893a953e205f4d23d8cd86c205c7a5dc018df5045c5a8e4963

Download Submit
\Users\Admin\AppData\Local\Temp\~tl9914.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
memory/828-179-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/828-175-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/828-177-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/828-178-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/828-180-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1664-167-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/1664-165-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1664-176-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1664-166-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/1664-164-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1664-163-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1664-168-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/1972-35-0x0000000140000000-0x0000000140647000-memory.dmp

Filesize
6.3MB

Download
memory/1972-33-0x000000004A2F0000-0x000000004A937000-memory.dmp

Filesize
6.3MB

Download
memory/1972-0-0x0000000140000000-0x0000000140647000-memory.dmp

Filesize
6.3MB

Download
memory/2008-17-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/2008-23-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-20-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/2008-22-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-16-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-15-0x0000000001E50000-0x0000000001ED0000-memory.dmp

Filesize
512KB

Download
memory/2304-53-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2304-55-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-54-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-57-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2304-58-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2304-56-0x000000000298B000-0x00000000029F2000-memory.dmp

Filesize
412KB

Download
memory/2304-97-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2448-140-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2448-136-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2448-135-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-134-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2448-138-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-141-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-157-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2500-155-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2572-11-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2572-18-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2572-21-0x0000000002A0B000-0x0000000002A72000-memory.dmp

Filesize
412KB

Download
memory/2572-19-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-14-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2572-13-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2572-12-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-10-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2684-123-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2684-137-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2684-133-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2684-125-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2684-139-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-132-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-124-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-51-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-44-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2688-52-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2688-61-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-60-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2688-46-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2688-45-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-43-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-59-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2796-117-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2796-116-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2796-115-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2796-114-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2796-156-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3016-113-0x0000000140000000-0x0000000140647000-memory.dmp

Filesize
6.3MB

Download
memory/3016-34-0x0000000140000000-0x0000000140647000-memory.dmp

Filesize
6.3MB

Download
memory/3016-62-0x0000000040660000-0x0000000040B5C000-memory.dmp

Filesize
5.0MB

Download