04e25dde1c54e74cf48c9f98b8ff2a47a1bc477e60fdc4bcc6cffe82c317b30a

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
Size

189KB
MD5

4deab6aa5ee45589ec738078bd26c82f
SHA1

c5a5c1227c5feaa2f4b0bf77d91c9c8a6ebc2711
SHA256

04e25dde1c54e74cf48c9f98b8ff2a47a1bc477e60fdc4bcc6cffe82c317b30a
SHA512

15d5bd20d505c6106d167481534eae6989f2f3245d05d3df370a3d472eb380e9d9e869dfee6572bddf68211e8b697a36bba529c74e26291c0825bb60d017c995
SSDEEP

3072:u6pmar4Ne5qDMG3Ark0OWzc4zye3yPE/bYaYuVePq07uDddFout96g:u6pmarRMMr7rzcKypPE/bYZSFoS91

Score

8^/10

evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2072 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1568 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

qydoxee.exe

pid process

1724 qydoxee.exe
Loads dropped DLL 2 IoCs

Processes:

4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe

pid process

2352 4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
2352 4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

pid	process
2072	netsh.exe

pid	process
1568	cmd.exe

pid	process
2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2352-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Nefaycp\qydoxee.exe	upx
behavioral1/memory/1724-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

qydoxee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{56E153F2-9E50-6CDB-5A97-1C402DA33DD6} = "C:\\Users\\Admin\\AppData\\Roaming\\Nefaycp\\qydoxee.exe"	qydoxee.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe

description pid process target process

PID 2352 set thread context of 1568 2352 4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe cmd.exe

description	pid	process	target process
PID 2352 set thread context of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\12325B3B-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

qydoxee.exe

pid	process
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe
1724	qydoxee.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2012	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

2012 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

2012 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

2012 WinMail.exe

pid	process
2012	WinMail.exe

pid	process
2012	WinMail.exe

pid	process
2012	WinMail.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.execmd.exeqydoxee.exe

description	pid	process	target process
PID 2352 wrote to memory of 2548	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 2548	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 2548	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 2548	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1724	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	qydoxee.exe
PID 2352 wrote to memory of 1724	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	qydoxee.exe
PID 2352 wrote to memory of 1724	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	qydoxee.exe
PID 2352 wrote to memory of 1724	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	qydoxee.exe
PID 2548 wrote to memory of 2072	2548	cmd.exe	netsh.exe
PID 2548 wrote to memory of 2072	2548	cmd.exe	netsh.exe
PID 2548 wrote to memory of 2072	2548	cmd.exe	netsh.exe
PID 2548 wrote to memory of 2072	2548	cmd.exe	netsh.exe
PID 1724 wrote to memory of 1080	1724	qydoxee.exe	taskhost.exe
PID 1724 wrote to memory of 1080	1724	qydoxee.exe	taskhost.exe
PID 1724 wrote to memory of 1080	1724	qydoxee.exe	taskhost.exe
PID 1724 wrote to memory of 1080	1724	qydoxee.exe	taskhost.exe
PID 1724 wrote to memory of 1080	1724	qydoxee.exe	taskhost.exe
PID 1724 wrote to memory of 1152	1724	qydoxee.exe	Dwm.exe
PID 1724 wrote to memory of 1152	1724	qydoxee.exe	Dwm.exe
PID 1724 wrote to memory of 1152	1724	qydoxee.exe	Dwm.exe
PID 1724 wrote to memory of 1152	1724	qydoxee.exe	Dwm.exe
PID 1724 wrote to memory of 1152	1724	qydoxee.exe	Dwm.exe
PID 1724 wrote to memory of 1176	1724	qydoxee.exe	Explorer.EXE
PID 1724 wrote to memory of 1176	1724	qydoxee.exe	Explorer.EXE
PID 1724 wrote to memory of 1176	1724	qydoxee.exe	Explorer.EXE
PID 1724 wrote to memory of 1176	1724	qydoxee.exe	Explorer.EXE
PID 1724 wrote to memory of 1176	1724	qydoxee.exe	Explorer.EXE
PID 1724 wrote to memory of 1692	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1692	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1692	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1692	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1692	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 2352	1724	qydoxee.exe	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
PID 1724 wrote to memory of 2352	1724	qydoxee.exe	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
PID 1724 wrote to memory of 2352	1724	qydoxee.exe	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
PID 1724 wrote to memory of 2352	1724	qydoxee.exe	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
PID 1724 wrote to memory of 2352	1724	qydoxee.exe	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 1568	2352	4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe	cmd.exe
PID 1724 wrote to memory of 2908	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 2908	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 2908	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 2908	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 2908	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1792	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1792	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1792	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1792	1724	qydoxee.exe	DllHost.exe
PID 1724 wrote to memory of 1792	1724	qydoxee.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4deab6aa5ee45589ec738078bd26c82f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4324c9c8.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Nefaycp\qydoxee.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2072
- - C:\Users\Admin\AppData\Roaming\Nefaycp\qydoxee.exe
    "C:\Users\Admin\AppData\Roaming\Nefaycp\qydoxee.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp853d4d2c.bat"
    3⤵
    - Deletes itself
    PID:1568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1692

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
5f1cd08e1d534604d6d03130cfe3cbc6

SHA1
dd5a5da4ffcf433939607f3855cf6c134180dfb7

SHA256
4fb509384f5232cc4465d94306eb2c47de27c9480f8d17ca46f6e83bbbdf14d5

SHA512
f92d1f0d176e3855ce2d6df4adfd3f7b82e6501598cd0c75032b8f7877c904047fe5d1badecf7111b1c9dc161800258c38133c0831cb2be46a6c23d1b42abf4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4324c9c8.bat

Filesize
204B

MD5
cd279550da4237009027ea4415deebc2

SHA1
cda4f2f9f50bbde78f04d824a1c37617d0007c17

SHA256
af5488c8e2088b44844ff53588c3f7ec0619beb87e07060fd950169361666c43

SHA512
65e6efe8ab4f22669b67791ebd325af2f130bbff74549e5a9f434c645dd5043238f83492bf86da7dddcb0160b3cb3437792492d45f24753b7d4929bdbb97d83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp853d4d2c.bat

Filesize
271B

MD5
2d6cfe98963ff670c63be7ed1f201266

SHA1
ba3e61d1269d39e7f906df00c1022f48501a6409

SHA256
ee8950146f5f37af6c3197407ee54ada7fa1ebf61f63ea8c75d1fd933d38e793

SHA512
4d457a3033a888e23df1e938919e7b036260617f6a90e7fa6a813c7d8b4e54f2f5ac90795416830be6387137860b5696050606b6392e5e4f46b7d1e8e199defa

Download Submit
C:\Users\Admin\AppData\Roaming\Atqato\geqoog.emg

Filesize
380B

MD5
34617ceb6b88a38f28b2ef6b0e128152

SHA1
1a78ba1df426e885e3782884190105ecca63caa6

SHA256
e498c0eac0909264a5f20296d56de9d8c8c7f897c16e4600487f1b069b5e2b7a

SHA512
5d51b806aa8ed1b9d7abccbaf388d85e93a19b3cd791e7dd13c7b0e791ccceb6b49aa0ae858dbbfa50eaea4cf3b99795dfa6b59efe53724e2c60238771b96be4

Download Submit
\Users\Admin\AppData\Roaming\Nefaycp\qydoxee.exe

Filesize
189KB

MD5
c1ab7ffa9663b0c399d4e89bde51a432

SHA1
63b7a2d1d370ad5fcac5f115d18052d38f7cdafe

SHA256
a89e1aa02aeaf63633d4bb2b1d62f19d501c6b849ee477038ec0caec9d1cffb8

SHA512
31949a8d2e116a12e68334c260307b8fde5961b593669a0de59b2cda5a068d339e87aad5c3f3d4ee758f72667dbac5c8512c28606d079234ca886ebecbf9c90d

Download Submit
memory/1080-25-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1080-21-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1080-27-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1080-19-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1080-23-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1152-31-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/1152-33-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/1152-35-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/1152-37-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/1176-43-0x0000000002A60000-0x0000000002A87000-memory.dmp

Filesize
156KB

Download
memory/1176-41-0x0000000002A60000-0x0000000002A87000-memory.dmp

Filesize
156KB

Download
memory/1176-42-0x0000000002A60000-0x0000000002A87000-memory.dmp

Filesize
156KB

Download
memory/1176-40-0x0000000002A60000-0x0000000002A87000-memory.dmp

Filesize
156KB

Download
memory/1692-46-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/1692-45-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/1692-47-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/1692-48-0x0000000001DD0000-0x0000000001DF7000-memory.dmp

Filesize
156KB

Download
memory/1724-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1724-342-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2352-52-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2352-70-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2352-53-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2352-54-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2352-55-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2352-82-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-80-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-79-0x00000000770E0000-0x00000000770E1000-memory.dmp

Filesize
4KB

Download
memory/2352-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-74-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2352-72-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-51-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2352-68-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-66-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-64-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-62-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-60-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-58-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-56-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-135-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2352-13-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/2352-14-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/2352-224-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2352-223-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2352-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2352-1-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download