latentbot | 8f4d46ef3df58b4b056302f5128dea4406c5ec321ca0aef51b61240cada41126

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe
Size

1.4MB
MD5

1df3e22f5fc25ab21e3fb89684818d46
SHA1

d72729754bd91f0f1d0b039583c28f7d03839523
SHA256

8f4d46ef3df58b4b056302f5128dea4406c5ec321ca0aef51b61240cada41126
SHA512

61fbdecae71346359aaac42f50323be0180459c8b573376b2e1fe1af7a82dc023f970d18f14db1ba950a5a4c898ef66a1bf27380534d08bdf334d83a071ba8ca
SSDEEP

24576:Xj+kb1dw1UFbU8u6gM+7gG1xM5hCN4vph0RMj+kb1dw1UFbU8u6gM+7gG1xM5hC9:zHb1c6X+d/4308Hb1c6X+d/430B

Score

10^/10

latentbot evasion trojan

Malware Config

Extracted

Family

latentbot

nyandcompany.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ctfmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ctfmon.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WindowsDef.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsDef.exe:*:Enabled:Windows Messanger"	reg.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	ctfmon.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe
1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2404	ipconfig.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2504	reg.exe
3036	reg.exe
776	reg.exe
1584	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe
Token: 1	2680	ctfmon.exe
Token: SeCreateTokenPrivilege	2680	ctfmon.exe
Token: SeAssignPrimaryTokenPrivilege	2680	ctfmon.exe
Token: SeLockMemoryPrivilege	2680	ctfmon.exe
Token: SeIncreaseQuotaPrivilege	2680	ctfmon.exe
Token: SeMachineAccountPrivilege	2680	ctfmon.exe
Token: SeTcbPrivilege	2680	ctfmon.exe
Token: SeSecurityPrivilege	2680	ctfmon.exe
Token: SeTakeOwnershipPrivilege	2680	ctfmon.exe
Token: SeLoadDriverPrivilege	2680	ctfmon.exe
Token: SeSystemProfilePrivilege	2680	ctfmon.exe
Token: SeSystemtimePrivilege	2680	ctfmon.exe
Token: SeProfSingleProcessPrivilege	2680	ctfmon.exe
Token: SeIncBasePriorityPrivilege	2680	ctfmon.exe
Token: SeCreatePagefilePrivilege	2680	ctfmon.exe
Token: SeCreatePermanentPrivilege	2680	ctfmon.exe
Token: SeBackupPrivilege	2680	ctfmon.exe
Token: SeRestorePrivilege	2680	ctfmon.exe
Token: SeShutdownPrivilege	2680	ctfmon.exe
Token: SeDebugPrivilege	2680	ctfmon.exe
Token: SeAuditPrivilege	2680	ctfmon.exe
Token: SeSystemEnvironmentPrivilege	2680	ctfmon.exe
Token: SeChangeNotifyPrivilege	2680	ctfmon.exe
Token: SeRemoteShutdownPrivilege	2680	ctfmon.exe
Token: SeUndockPrivilege	2680	ctfmon.exe
Token: SeSyncAgentPrivilege	2680	ctfmon.exe
Token: SeEnableDelegationPrivilege	2680	ctfmon.exe
Token: SeManageVolumePrivilege	2680	ctfmon.exe
Token: SeImpersonatePrivilege	2680	ctfmon.exe
Token: SeCreateGlobalPrivilege	2680	ctfmon.exe
Token: 31	2680	ctfmon.exe
Token: 32	2680	ctfmon.exe
Token: 33	2680	ctfmon.exe
Token: 34	2680	ctfmon.exe
Token: 35	2680	ctfmon.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2680	ctfmon.exe
2680	ctfmon.exe
2680	ctfmon.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2148	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	28
PID 1640 wrote to memory of 2148	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	28
PID 1640 wrote to memory of 2148	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	28
PID 1640 wrote to memory of 2148	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	28
PID 2148 wrote to memory of 2676	2148	csc.exe	30
PID 2148 wrote to memory of 2676	2148	csc.exe	30
PID 2148 wrote to memory of 2676	2148	csc.exe	30
PID 2148 wrote to memory of 2676	2148	csc.exe	30
PID 1640 wrote to memory of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2680	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2628	2680	ctfmon.exe	32
PID 2680 wrote to memory of 2628	2680	ctfmon.exe	32
PID 2680 wrote to memory of 2628	2680	ctfmon.exe	32
PID 2680 wrote to memory of 2628	2680	ctfmon.exe	32
PID 2680 wrote to memory of 2664	2680	ctfmon.exe	33
PID 2680 wrote to memory of 2664	2680	ctfmon.exe	33
PID 2680 wrote to memory of 2664	2680	ctfmon.exe	33
PID 2680 wrote to memory of 2664	2680	ctfmon.exe	33
PID 2680 wrote to memory of 2536	2680	ctfmon.exe	34
PID 2680 wrote to memory of 2536	2680	ctfmon.exe	34
PID 2680 wrote to memory of 2536	2680	ctfmon.exe	34
PID 2680 wrote to memory of 2536	2680	ctfmon.exe	34
PID 2680 wrote to memory of 2492	2680	ctfmon.exe	37
PID 2680 wrote to memory of 2492	2680	ctfmon.exe	37
PID 2680 wrote to memory of 2492	2680	ctfmon.exe	37
PID 2680 wrote to memory of 2492	2680	ctfmon.exe	37
PID 2628 wrote to memory of 3036	2628	cmd.exe	40
PID 2628 wrote to memory of 3036	2628	cmd.exe	40
PID 2628 wrote to memory of 3036	2628	cmd.exe	40
PID 2628 wrote to memory of 3036	2628	cmd.exe	40
PID 2664 wrote to memory of 2504	2664	cmd.exe	41
PID 2664 wrote to memory of 2504	2664	cmd.exe	41
PID 2664 wrote to memory of 2504	2664	cmd.exe	41
PID 2664 wrote to memory of 2504	2664	cmd.exe	41
PID 2536 wrote to memory of 1584	2536	cmd.exe	42
PID 2536 wrote to memory of 1584	2536	cmd.exe	42
PID 2536 wrote to memory of 1584	2536	cmd.exe	42
PID 2536 wrote to memory of 1584	2536	cmd.exe	42
PID 2492 wrote to memory of 776	2492	cmd.exe	43
PID 2492 wrote to memory of 776	2492	cmd.exe	43
PID 2492 wrote to memory of 776	2492	cmd.exe	43
PID 2492 wrote to memory of 776	2492	cmd.exe	43
PID 1640 wrote to memory of 2376	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	44
PID 1640 wrote to memory of 2376	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	44
PID 1640 wrote to memory of 2376	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	44
PID 1640 wrote to memory of 2376	1640	1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe	44
PID 2376 wrote to memory of 2404	2376	cmd.exe	46
PID 2376 wrote to memory of 2404	2376	cmd.exe	46
PID 2376 wrote to memory of 2404	2376	cmd.exe	46
PID 2376 wrote to memory of 2404	2376	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1df3e22f5fc25ab21e3fb89684818d46_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\brodbmqr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1517.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1516.tmp"
    3⤵
    PID:2676
- C:\Users\Admin\AppData\Roaming\ctfmon.exe
  C:\Users\Admin\AppData\Roaming\ctfmon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ctfmon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ctfmon.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ctfmon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ctfmon.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WindowsDef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowsDef.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WindowsDef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowsDef.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DNS.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdnsipconfig/releaseipconfig/renew
    3⤵
    - Gathers network information
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DNS.bat

Filesize
47B

MD5
4b403bd7ff6fe021fcf3ecdd2c029f87

SHA1
890642fc02dbfffd5d3aef0ec652fa636a48c3ee

SHA256
267c9197388ab6b34c7516e728a3529df2b7aab5029588ffb47540bbe651f654

SHA512
3bdef29cfeab451d45182420bd179f9450a0da5c842992260a420728e212635f90cc1f394687c8ac852ccd8caf529e9bdb4aff24e2d07f6705594931b3ef5e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1517.tmp

Filesize
1KB

MD5
1c92a2ab64752e00d162490079551908

SHA1
5b3af3a876d011479333ade5541ad97dbb58702f

SHA256
ceb77d7e8e577b587218591373fd89c6885a85fbada49e88f8d7650f68d44b07

SHA512
0defd1640296f86b189ed271be29ac038edbafa6c8361360fbd4a5440d3374dc6f35506aa096b01a7579462f35f8c2c6a8303d0dd0f3ef663a02fb430255e3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\brodbmqr.dll

Filesize
5KB

MD5
74a40c0a9fb3acf67e2b7e64b082a63a

SHA1
03aaf4f04d273b20f1cb22de9b0e45feccba02ba

SHA256
959fd553f9f477dcc9910b5823feddc9bfaf985215dc0cbd89a529963b9aba6e

SHA512
047135925743dac3ae8a433f1b01f7baa7bd124f881010f0e500124f8bfeaa4ef41faaa477baf730dcd926ca7914fcb2d9fa68ccf510232bf3b3043513faf07a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1516.tmp

Filesize
652B

MD5
18a206d52c898666d30f38dce71f77f7

SHA1
50406e4e872688f5a28095b5d5bd53331bc7201c

SHA256
69f9ab3c09c44bfb897d00dec6f8398911ee6c692c63288c175bf7fdaf7ef206

SHA512
3fb0434c615824973504b78c115532490f685665bcbd1c5dbe8ec96a2c6f026abb965580ed06740d654eac49e98975f267d8435e5a8b138fdd24c57cf7150c87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\brodbmqr.0.cs

Filesize
4KB

MD5
2216d197bc442e875016eba15c07a937

SHA1
37528e21ea3271b85d276c6bd003e6c60c81545d

SHA256
2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

SHA512
7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\brodbmqr.cmdline

Filesize
206B

MD5
81581a34f77ba9ff4fceffc67bf63daf

SHA1
e324e68f60387e61e0b002bd217f046269bf5385

SHA256
1590b2f92f9da8472d48b5e61430ebc963d541c89e9196ce872a166973262462

SHA512
d1ad0153eca754cb6425adf1b8830bac8173e31eb6e840ccea2f8c22e3042f1ebc0de6f60b9deee19ef558e3d1ab4cb2aca5505b7a34d42a144ee7f70eb03b0d

Download Submit
\Users\Admin\AppData\Roaming\ctfmon.exe

Filesize
420KB

MD5
13f3b14913321c0c5aa5187048713e16

SHA1
4627a45190f5799e0f58662592ead8c98159c4ac

SHA256
28fffccd6c5afef751399139e50f767d1253c4c95dcaa8f8dd355fbbdc04c9cd

SHA512
37c29eb996e4e1b15e456c17cbd539a3635e931f25091bb183e7aec8086364a61206f595f7da90e74d1cb16147a0c6f3cf010c7d56db41ca63c2b268db3c2772

Download Submit
memory/1640-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-2-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-73-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-0-0x0000000074711000-0x0000000074712000-memory.dmp

Filesize
4KB

Download
memory/2148-16-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2148-11-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2680-78-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-90-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-77-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-72-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-74-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-76-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-81-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-80-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-82-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-84-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-85-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-86-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-88-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-89-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2680-29-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download