d91e6a26ea8eba6955703b8983c2dc0eafc953b1e09e9d49d96597f5e7c73fc9

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe
Size

133KB
MD5

1b8b2159d83a1d701ae70cefc0c6eb09
SHA1

0825658a01ed52c04354de9695926ed8db63ec31
SHA256

d91e6a26ea8eba6955703b8983c2dc0eafc953b1e09e9d49d96597f5e7c73fc9
SHA512

b28d033c74863730e2a465894926cbaf7313b71b8d313acf16f71e304a98cd0cb8b74ca57fa98dc85360b60179c327b49e9850123ffd4898d9795e69bfcc53dd
SSDEEP

3072:IpBLXLirVWJlZBntHlJoDL01CBVLFNJs++SrDc:aLMol/XTM7riSrDc

Score

8^/10

evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2696	netsh.exe

Deletes itself 1 IoCs

pid	Process
1780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	zoalko.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe
1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\{959CCE23-C83F-8ED1-A1B9-C2C55F1F3ED2} = "C:\\Users\\Admin\\AppData\\Roaming\\Yfz\\zoalko.exe"	zoalko.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Privacy	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\69302DC0-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe
2780	zoalko.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe
Token: SeSecurityPrivilege	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe
Token: SeSecurityPrivilege	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1584	WinMail.exe
Token: SeSecurityPrivilege	1780	cmd.exe
Token: SeManageVolumePrivilege	2968	WinMail.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1584	WinMail.exe
2968	WinMail.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1584	WinMail.exe
2968	WinMail.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1584	WinMail.exe
2968	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1712	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	28
PID 1868 wrote to memory of 1712	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	28
PID 1868 wrote to memory of 1712	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	28
PID 1868 wrote to memory of 1712	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	28
PID 1868 wrote to memory of 2780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	30
PID 2780 wrote to memory of 1052	2780	zoalko.exe	17
PID 1712 wrote to memory of 2696	1712	cmd.exe	31
PID 1712 wrote to memory of 2696	1712	cmd.exe	31
PID 1712 wrote to memory of 2696	1712	cmd.exe	31
PID 1712 wrote to memory of 2696	1712	cmd.exe	31
PID 2780 wrote to memory of 1052	2780	zoalko.exe	17
PID 2780 wrote to memory of 1052	2780	zoalko.exe	17
PID 2780 wrote to memory of 1052	2780	zoalko.exe	17
PID 2780 wrote to memory of 1052	2780	zoalko.exe	17
PID 2780 wrote to memory of 1124	2780	zoalko.exe	19
PID 2780 wrote to memory of 1124	2780	zoalko.exe	19
PID 2780 wrote to memory of 1124	2780	zoalko.exe	19
PID 2780 wrote to memory of 1124	2780	zoalko.exe	19
PID 2780 wrote to memory of 1124	2780	zoalko.exe	19
PID 2780 wrote to memory of 1180	2780	zoalko.exe	21
PID 2780 wrote to memory of 1180	2780	zoalko.exe	21
PID 2780 wrote to memory of 1180	2780	zoalko.exe	21
PID 2780 wrote to memory of 1180	2780	zoalko.exe	21
PID 2780 wrote to memory of 1180	2780	zoalko.exe	21
PID 2780 wrote to memory of 1740	2780	zoalko.exe	23
PID 2780 wrote to memory of 1740	2780	zoalko.exe	23
PID 2780 wrote to memory of 1740	2780	zoalko.exe	23
PID 2780 wrote to memory of 1740	2780	zoalko.exe	23
PID 2780 wrote to memory of 1740	2780	zoalko.exe	23
PID 2780 wrote to memory of 1868	2780	zoalko.exe	27
PID 2780 wrote to memory of 1868	2780	zoalko.exe	27
PID 2780 wrote to memory of 1868	2780	zoalko.exe	27
PID 2780 wrote to memory of 1868	2780	zoalko.exe	27
PID 2780 wrote to memory of 1868	2780	zoalko.exe	27
PID 2780 wrote to memory of 1584	2780	zoalko.exe	32
PID 2780 wrote to memory of 1584	2780	zoalko.exe	32
PID 2780 wrote to memory of 1584	2780	zoalko.exe	32
PID 2780 wrote to memory of 1584	2780	zoalko.exe	32
PID 2780 wrote to memory of 1584	2780	zoalko.exe	32
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1780	1868	1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe	33
PID 2780 wrote to memory of 1676	2780	zoalko.exe	34
PID 2780 wrote to memory of 1676	2780	zoalko.exe	34
PID 2780 wrote to memory of 1676	2780	zoalko.exe	34
PID 2780 wrote to memory of 1676	2780	zoalko.exe	34
PID 2780 wrote to memory of 1676	2780	zoalko.exe	34
PID 2780 wrote to memory of 2368	2780	zoalko.exe	35
PID 2780 wrote to memory of 2368	2780	zoalko.exe	35
PID 2780 wrote to memory of 2368	2780	zoalko.exe	35
PID 2780 wrote to memory of 2368	2780	zoalko.exe	35
PID 2780 wrote to memory of 2368	2780	zoalko.exe	35
PID 2780 wrote to memory of 2968	2780	zoalko.exe	36
PID 2780 wrote to memory of 2968	2780	zoalko.exe	36
PID 2780 wrote to memory of 2968	2780	zoalko.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1052

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1b8b2159d83a1d701ae70cefc0c6eb09_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0a096fc7.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Yfz\zoalko.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2696
- - C:\Users\Admin\AppData\Roaming\Yfz\zoalko.exe
    "C:\Users\Admin\AppData\Roaming\Yfz\zoalko.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbd234b52.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1780

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1740

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-153119674218884593511151869544-758297524334506984-10979040581910520731140750854"
1⤵
PID:2368

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3b9a3421736d55d6e25cbc67ba1529b

SHA1
87db23c62fd24eb77538dd36aff50b961b8d696b

SHA256
f562b43212fff856535d1fe48eb7f2bf214e4a9234731a485b22cd252f1013f4

SHA512
128c542c5509e8170fad558d80f9b4119b88121848ee0618e2a1072ea0c1ab0bb56028f48752001fab1ca51f85c005a44889969d19aa1888097a2da0929dbe02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore

Filesize
2.0MB

MD5
bf83d3795ff3a2dfbcc47c799c56fe64

SHA1
e32ee39e42344a2959047c95db4037e9908a49c1

SHA256
326f31d8f985537e9b13ab2dfa13d246da119eecd3300f227d928810a8c57493

SHA512
46e9d2a9668f135becfc536cd5d6975ac8ad3668bb4f0f029953af6ea003b2837a54aa2a09e7f292d97e502488c3d2b64d240300e1f75c001161628d550c6fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk

Filesize
8KB

MD5
ad311dcd93ecb2c30aef4dcff4c02177

SHA1
77f3f1d10927f687e65d23b229f534e29e854db8

SHA256
449d0c234ad3392f5b06743fa4527f413705b2417a20837782d232291372f2dd

SHA512
c6dd235128946ab604d8f82780f99e6409c823e24e9dbbd8865764feedfd70da42eb72145b7ac252636ccee8129714c91fd30d2c497e69a0533eae596b68f996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
146b931a03d5762745b91ef2b8d07347

SHA1
29e4a4086e638532da339e04fc65806ae0dc712d

SHA256
1a338915d8b832c6849222ec77c083b52244ebc52d70567fea5abaafc7e6c469

SHA512
1345d230de859577857e1d79bbf3e6abe0257b10efc0b59f6f3248afb29c78808db3b41b5080ca875262479419c62e88992fcca2fbd2969ee129a04e9d1c995a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
05ddd85f3446ca1a1b6c39dac63074d5

SHA1
b70e0ddf68877b03571ddb29ce1e6604b04e8add

SHA256
0ffd822a734f1216a559af6b34de4400ffdd2a813e6c0429d88d869b7555b373

SHA512
774527d2d4e404d0a4e03db902e84af227610c2570f9ff69cb3650ecb7a667d7b89482c15bf9864ef842282318f573ca2e94255ae3263ab03a0a5e7aad081296

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D2B.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp0a096fc7.bat

Filesize
199B

MD5
fd3c20523942c486e60142fd84dc8dfa

SHA1
530cb7cfd1bc3a2626a4e773e58bedaf5f216f9e

SHA256
89baf0faea8de835071c8c5993d74891a27b3bed9a4e46c75b026ce5b12a58a3

SHA512
a4fb384e564cc1ad2742f35a300295e12789bf31175c39256e8e0d0e629d58b2acb1c63a98bc9e26d1f5be43fbd1d864a8377bacbc5ce2a5e84a76875d3decb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpbd234b52.bat

Filesize
271B

MD5
2ec0d6d97f136ba99d8f54ab260e9d12

SHA1
2d3f8ee6691d3c9cb3e10b5e1a3cae5d263c4f99

SHA256
f9e8f5a672edd07839ddde63952e59eaec048957ca68a9af1b46f4f01c209129

SHA512
3586c1f057b43d390d73dcd93c0840a62c215ba6564d273aa69543996e859b837fe54d686f328662da1f41248c9f8aa0835ffdff238eb3bf63e5835087f0219c

Download Submit
C:\Users\Admin\AppData\Roaming\Daq\azlyqyu.wao

Filesize
380B

MD5
ca72b526a27809d0eb1f509183e93446

SHA1
afdcf1039414dafce255a466daa9579e6b2a4baf

SHA256
656df738a4354d99e39836aae9510a197af49ff1a934c299f295df1981daa655

SHA512
56a8ce41fea7402160986651e0d39788a13ef5de7d8316e03e5c3608a3025ca5f5df96d79de5abddd297d63acc47471460f9381204e44d1d0f813d26fa7e01d8

Download Submit
\Users\Admin\AppData\Roaming\Yfz\zoalko.exe

Filesize
133KB

MD5
862102efd52cdabf121774ba0fad102c

SHA1
38141151d1b1349cf4ec3db17e39ac4e8912f9ef

SHA256
7165f2dd985db6f016c2180a39d3592382840f5a7e026fa57930c074fb7e3f5e

SHA512
0b6de2d4d2a20e488bb1e3da0e2df66215c05571dbb37a3d1d190658dff9a51d5a471cc8858a198e77ddcab628e596701aaf54f926239b75ca62903f40ba9fb6

Download Submit
memory/1052-17-0x0000000002110000-0x0000000002138000-memory.dmp

Filesize
160KB

Download
memory/1052-19-0x0000000002110000-0x0000000002138000-memory.dmp

Filesize
160KB

Download
memory/1052-21-0x0000000002110000-0x0000000002138000-memory.dmp

Filesize
160KB

Download
memory/1052-25-0x0000000002110000-0x0000000002138000-memory.dmp

Filesize
160KB

Download
memory/1052-23-0x0000000002110000-0x0000000002138000-memory.dmp

Filesize
160KB

Download
memory/1124-29-0x00000000003E0000-0x0000000000408000-memory.dmp

Filesize
160KB

Download
memory/1124-35-0x00000000003E0000-0x0000000000408000-memory.dmp

Filesize
160KB

Download
memory/1124-33-0x00000000003E0000-0x0000000000408000-memory.dmp

Filesize
160KB

Download
memory/1124-31-0x00000000003E0000-0x0000000000408000-memory.dmp

Filesize
160KB

Download
memory/1180-40-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1180-39-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1180-38-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1180-41-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1740-43-0x0000000001CA0000-0x0000000001CC8000-memory.dmp

Filesize
160KB

Download
memory/1740-44-0x0000000001CA0000-0x0000000001CC8000-memory.dmp

Filesize
160KB

Download
memory/1740-45-0x0000000001CA0000-0x0000000001CC8000-memory.dmp

Filesize
160KB

Download
memory/1740-46-0x0000000001CA0000-0x0000000001CC8000-memory.dmp

Filesize
160KB

Download
memory/1868-53-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-64-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-62-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-60-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-58-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-56-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-54-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-82-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1868-48-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/1868-0-0x0000000000840000-0x0000000000860000-memory.dmp

Filesize
128KB

Download
memory/1868-49-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/1868-180-0x0000000000840000-0x0000000000860000-memory.dmp

Filesize
128KB

Download
memory/1868-50-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/1868-206-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1868-207-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-51-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/1868-52-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/1868-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1868-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2780-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2780-453-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2780-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download