metasploit | ffec84420df66d859693f437168673c87d2a0dd85becf14069431c11fad10972

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 11:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
Size

204KB
MD5

4e0e190eb8c9ec60710c13e5debd938b
SHA1

66f4bcf5ce90e7cb65da99470a3d77861c9bce00
SHA256

ffec84420df66d859693f437168673c87d2a0dd85becf14069431c11fad10972
SHA512

8eaea336ac4fa1599c61fb5c9c7354047b6bb1656d63c2c817b24c4fca968cdbc670ee6b3fe45ba51d7da7b86ad1e0286be2990f7a1d345aa673a88d4d6efd50
SSDEEP

6144:tLEffXH2P822Gbo/2nUvmmUL3poS78WGdBP6cL:tyf88dGbXNr3p57IdBP6cL

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	wnpfs4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	wnpfs4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	wnpfs4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	wnpfs4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	wnpfs4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	wnpfs4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1572	wnpfs4.exe

Executes dropped EXE 14 IoCs

pid	Process
1020	wnpfs4.exe
1572	wnpfs4.exe
3948	wnpfs4.exe
1620	wnpfs4.exe
1280	wnpfs4.exe
3372	wnpfs4.exe
2068	wnpfs4.exe
3888	wnpfs4.exe
4852	wnpfs4.exe
1396	wnpfs4.exe
2552	wnpfs4.exe
3480	wnpfs4.exe
2472	wnpfs4.exe
4312	wnpfs4.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4924-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-3-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-9-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-8-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-6-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-10-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-44-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1572-53-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1572-56-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1572-54-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1572-55-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1572-59-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1620-67-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1620-69-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1620-70-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1620-72-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-81-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-85-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-82-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-80-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-83-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-87-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-89-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3372-93-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3888-106-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1396-116-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1396-123-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3480-133-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3480-138-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnpfs4.exe	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File opened for modification	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File opened for modification	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File created	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File created	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File opened for modification	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File created	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File created	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File opened for modification	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File opened for modification	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File opened for modification	C:\Windows\SysWOW64\wnpfs4.exe	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe
File created	C:\Windows\SysWOW64\wnpfs4.exe	wnpfs4.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 1020 set thread context of 1572	1020	wnpfs4.exe	93
PID 3948 set thread context of 1620	3948	wnpfs4.exe	95
PID 1280 set thread context of 3372	1280	wnpfs4.exe	97
PID 2068 set thread context of 3888	2068	wnpfs4.exe	99
PID 4852 set thread context of 1396	4852	wnpfs4.exe	101
PID 2552 set thread context of 3480	2552	wnpfs4.exe	103
PID 2472 set thread context of 4312	2472	wnpfs4.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpfs4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpfs4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpfs4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpfs4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpfs4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpfs4.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4924	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
4924	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
1572	wnpfs4.exe
1572	wnpfs4.exe
1620	wnpfs4.exe
1620	wnpfs4.exe
3372	wnpfs4.exe
3372	wnpfs4.exe
3888	wnpfs4.exe
3888	wnpfs4.exe
1396	wnpfs4.exe
1396	wnpfs4.exe
3480	wnpfs4.exe
3480	wnpfs4.exe
4312	wnpfs4.exe
4312	wnpfs4.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
1020	wnpfs4.exe
3948	wnpfs4.exe
1280	wnpfs4.exe
2068	wnpfs4.exe
4852	wnpfs4.exe
2552	wnpfs4.exe
2472	wnpfs4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 4764 wrote to memory of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 4764 wrote to memory of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 4764 wrote to memory of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 4764 wrote to memory of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 4764 wrote to memory of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 4764 wrote to memory of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 4764 wrote to memory of 4924	4764	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	88
PID 4924 wrote to memory of 1020	4924	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	89
PID 4924 wrote to memory of 1020	4924	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	89
PID 4924 wrote to memory of 1020	4924	4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe	89
PID 1020 wrote to memory of 1572	1020	wnpfs4.exe	93
PID 1020 wrote to memory of 1572	1020	wnpfs4.exe	93
PID 1020 wrote to memory of 1572	1020	wnpfs4.exe	93
PID 1020 wrote to memory of 1572	1020	wnpfs4.exe	93
PID 1020 wrote to memory of 1572	1020	wnpfs4.exe	93
PID 1020 wrote to memory of 1572	1020	wnpfs4.exe	93
PID 1020 wrote to memory of 1572	1020	wnpfs4.exe	93
PID 1020 wrote to memory of 1572	1020	wnpfs4.exe	93
PID 1572 wrote to memory of 3948	1572	wnpfs4.exe	94
PID 1572 wrote to memory of 3948	1572	wnpfs4.exe	94
PID 1572 wrote to memory of 3948	1572	wnpfs4.exe	94
PID 3948 wrote to memory of 1620	3948	wnpfs4.exe	95
PID 3948 wrote to memory of 1620	3948	wnpfs4.exe	95
PID 3948 wrote to memory of 1620	3948	wnpfs4.exe	95
PID 3948 wrote to memory of 1620	3948	wnpfs4.exe	95
PID 3948 wrote to memory of 1620	3948	wnpfs4.exe	95
PID 3948 wrote to memory of 1620	3948	wnpfs4.exe	95
PID 3948 wrote to memory of 1620	3948	wnpfs4.exe	95
PID 3948 wrote to memory of 1620	3948	wnpfs4.exe	95
PID 1620 wrote to memory of 1280	1620	wnpfs4.exe	96
PID 1620 wrote to memory of 1280	1620	wnpfs4.exe	96
PID 1620 wrote to memory of 1280	1620	wnpfs4.exe	96
PID 1280 wrote to memory of 3372	1280	wnpfs4.exe	97
PID 1280 wrote to memory of 3372	1280	wnpfs4.exe	97
PID 1280 wrote to memory of 3372	1280	wnpfs4.exe	97
PID 1280 wrote to memory of 3372	1280	wnpfs4.exe	97
PID 1280 wrote to memory of 3372	1280	wnpfs4.exe	97
PID 1280 wrote to memory of 3372	1280	wnpfs4.exe	97
PID 1280 wrote to memory of 3372	1280	wnpfs4.exe	97
PID 1280 wrote to memory of 3372	1280	wnpfs4.exe	97
PID 3372 wrote to memory of 2068	3372	wnpfs4.exe	98
PID 3372 wrote to memory of 2068	3372	wnpfs4.exe	98
PID 3372 wrote to memory of 2068	3372	wnpfs4.exe	98
PID 2068 wrote to memory of 3888	2068	wnpfs4.exe	99
PID 2068 wrote to memory of 3888	2068	wnpfs4.exe	99
PID 2068 wrote to memory of 3888	2068	wnpfs4.exe	99
PID 2068 wrote to memory of 3888	2068	wnpfs4.exe	99
PID 2068 wrote to memory of 3888	2068	wnpfs4.exe	99
PID 2068 wrote to memory of 3888	2068	wnpfs4.exe	99
PID 2068 wrote to memory of 3888	2068	wnpfs4.exe	99
PID 2068 wrote to memory of 3888	2068	wnpfs4.exe	99
PID 3888 wrote to memory of 4852	3888	wnpfs4.exe	100
PID 3888 wrote to memory of 4852	3888	wnpfs4.exe	100
PID 3888 wrote to memory of 4852	3888	wnpfs4.exe	100
PID 4852 wrote to memory of 1396	4852	wnpfs4.exe	101
PID 4852 wrote to memory of 1396	4852	wnpfs4.exe	101
PID 4852 wrote to memory of 1396	4852	wnpfs4.exe	101
PID 4852 wrote to memory of 1396	4852	wnpfs4.exe	101
PID 4852 wrote to memory of 1396	4852	wnpfs4.exe	101
PID 4852 wrote to memory of 1396	4852	wnpfs4.exe	101
PID 4852 wrote to memory of 1396	4852	wnpfs4.exe	101
PID 4852 wrote to memory of 1396	4852	wnpfs4.exe	101
PID 1396 wrote to memory of 2552	1396	wnpfs4.exe	102

C:\Users\Admin\AppData\Local\Temp\4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4e0e190eb8c9ec60710c13e5debd938b_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\wnpfs4.exe
    "C:\Windows\system32\wnpfs4.exe" C:\Users\Admin\AppData\Local\Temp\4E0E19~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\wnpfs4.exe
      "C:\Windows\system32\wnpfs4.exe" C:\Users\Admin\AppData\Local\Temp\4E0E19~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3948
      - C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3480
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Windows\SysWOW64\wnpfs4.exe
        
        "C:\Windows\system32\wnpfs4.exe" C:\Windows\SysWOW64\wnpfs4.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wnpfs4.exe

Filesize
204KB

MD5
4e0e190eb8c9ec60710c13e5debd938b

SHA1
66f4bcf5ce90e7cb65da99470a3d77861c9bce00

SHA256
ffec84420df66d859693f437168673c87d2a0dd85becf14069431c11fad10972

SHA512
8eaea336ac4fa1599c61fb5c9c7354047b6bb1656d63c2c817b24c4fca968cdbc670ee6b3fe45ba51d7da7b86ad1e0286be2990f7a1d345aa673a88d4d6efd50

Download Submit
memory/1020-57-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1020-46-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1280-86-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1280-74-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1396-116-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1396-123-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1572-56-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1572-59-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1572-55-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1572-54-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1572-53-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1620-70-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1620-67-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1620-72-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1620-69-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2068-102-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2068-95-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3372-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3372-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3372-93-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3372-89-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3372-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3372-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3372-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3372-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3372-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3480-138-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3480-133-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3888-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3948-68-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3948-61-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4764-7-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4764-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4852-108-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4924-6-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-10-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-44-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-9-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download