098c86f15990c259eb8479d7a7f4a360b175a46518580f94bdfa07d998ecc55f

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe
Size

3.3MB
MD5

7315c5de2e97e98ef48467b2ef495256
SHA1

3fcbfd2241110f05fa872198ce645cd034bf829a
SHA256

098c86f15990c259eb8479d7a7f4a360b175a46518580f94bdfa07d998ecc55f
SHA512

8a5424dfadac9496bae4efe6447c58f1dd2aded0e345aa779f0a674cd42f68d7eed62e5057849aef3c4b5652a0f5e072b2f73e9b960b3ce4450cf698e48fafec
SSDEEP

49152:LzBPcQeGCsMYRQhGdVT37Uw6kn8hBFG22sNt8wV8l629uIPYpHNvkIfoHN/kx:LFDefuRQeVTLJ6U8h/eE8U2xYVdRfEMx

Score

8^/10

discovery evasion persistence themida

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe"	svcr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}	svcr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe"	svcr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}	svcr.exe

Executes dropped EXE 5 IoCs

pid	Process
3004	fotos.exe
2060	svcr.exe
2740	pc.exe
2224	svcr.exe
3584	svcr.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	svcr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	svcr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	fotos.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	svcr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	pc.exe

Loads dropped DLL 10 IoCs

pid	Process
2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe
2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe
3004	fotos.exe
3004	fotos.exe
3004	fotos.exe
2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe
2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe
2740	pc.exe
2740	pc.exe
2740	pc.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000f000000018701-18.dat	themida
behavioral1/memory/3004-25-0x0000000000400000-0x0000000000564000-memory.dmp	themida
behavioral1/files/0x000600000001924a-39.dat	themida
behavioral1/memory/2060-43-0x0000000000400000-0x000000000071F000-memory.dmp	themida
behavioral1/memory/3004-48-0x0000000000400000-0x0000000000564000-memory.dmp	themida
behavioral1/files/0x00070000000191dc-49.dat	themida
behavioral1/memory/2740-62-0x0000000000400000-0x0000000000654000-memory.dmp	themida
behavioral1/memory/2224-77-0x0000000000400000-0x000000000071F000-memory.dmp	themida
behavioral1/memory/2060-74-0x0000000000400000-0x000000000071F000-memory.dmp	themida
behavioral1/memory/3584-1664-0x0000000000400000-0x000000000071F000-memory.dmp	themida
behavioral1/memory/2224-1662-0x0000000000400000-0x000000000071F000-memory.dmp	themida
behavioral1/memory/2740-1661-0x0000000000400000-0x0000000000654000-memory.dmp	themida
behavioral1/memory/3584-3245-0x0000000000400000-0x000000000071F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe"	pc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe"	svcr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe"	svcr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe"	pc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
3004	fotos.exe
2060	svcr.exe
2224	svcr.exe
2740	pc.exe
3584	svcr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svcr.exe	svcr.exe
File created	C:\Windows\svcr.exe	svcr.exe
File opened for modification	C:\Windows\svcr.exe	pc.exe
File created	C:\Windows\svcr.exe	pc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fotos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcr.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3004	fotos.exe
2060	svcr.exe
2060	svcr.exe
2740	pc.exe
2224	svcr.exe
2224	svcr.exe
2740	pc.exe
2740	pc.exe
2740	pc.exe
2740	pc.exe
2740	pc.exe
3584	svcr.exe
3584	svcr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	svcr.exe
Token: SeDebugPrivilege	3584	svcr.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2432	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3004	fotos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3004	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	30
PID 2192 wrote to memory of 3004	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	30
PID 2192 wrote to memory of 3004	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	30
PID 2192 wrote to memory of 3004	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	30
PID 2192 wrote to memory of 3004	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	30
PID 2192 wrote to memory of 3004	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	30
PID 2192 wrote to memory of 3004	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2060	3004	fotos.exe	32
PID 3004 wrote to memory of 2060	3004	fotos.exe	32
PID 3004 wrote to memory of 2060	3004	fotos.exe	32
PID 3004 wrote to memory of 2060	3004	fotos.exe	32
PID 3004 wrote to memory of 2060	3004	fotos.exe	32
PID 3004 wrote to memory of 2060	3004	fotos.exe	32
PID 3004 wrote to memory of 2060	3004	fotos.exe	32
PID 2192 wrote to memory of 2740	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2740	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2740	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2740	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2740	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2740	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2740	2192	7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe	33
PID 2060 wrote to memory of 2224	2060	svcr.exe	34
PID 2060 wrote to memory of 2224	2060	svcr.exe	34
PID 2060 wrote to memory of 2224	2060	svcr.exe	34
PID 2060 wrote to memory of 2224	2060	svcr.exe	34
PID 2060 wrote to memory of 2224	2060	svcr.exe	34
PID 2060 wrote to memory of 2224	2060	svcr.exe	34
PID 2060 wrote to memory of 2224	2060	svcr.exe	34
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21
PID 2224 wrote to memory of 1192	2224	svcr.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7315c5de2e97e98ef48467b2ef495256_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fotos.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fotos.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\svcr.exe
      "C:\svcr.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\svcr.exe
        
        "C:\Windows\svcr.exe" "C:\svcr.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pc.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pc.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
  - - C:\Windows\svcr.exe
      "C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pc.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3584

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\09.jpg

Filesize
97KB

MD5
64525afc96c3859b7fc418ff9903ccd2

SHA1
2ef7c31978d81752cb50f2b9d80d9a57da939a62

SHA256
c75d28f5e476578ef93f40e9b29ca0f20a3319a742ffcf53dda8129b927abc67

SHA512
58e355c723f76a0a2f05ed54a1e1f5552323871973575977cfeab6f5ce7fdaff92f76799a4a49f328a67477ef42af6640f138d913a0ddf9bef1e341bef7cd7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fotos.exe

Filesize
2.1MB

MD5
efdf19e9adf05986630b2f9f24be45b8

SHA1
0b3b9a9e463fbd8e368bb05a1b99f1e59a9548ed

SHA256
cc84b0cce8caf465f9106add34952356b4156b3acce383d053cf5fd5f849836f

SHA512
47bf2c51bf7c21745fd66fd816f3140fe1e165574f6ca195cf82d13a0b37dfaa8e11e61272847a8af5cb66022c8faa44822fe86b16441ca8b762fd1130356fba

Download Submit
C:\svcr.exe

Filesize
1.4MB

MD5
23b5d33a0ea651a9e59a33d56e2e164b

SHA1
36e566d711e0d10d89f466843ad53dbd8612d0e1

SHA256
14c27a854e1e7a254865802fd00de9329c3d5c3db103d3e0ba9149ce9b7d4306

SHA512
777940740047f85c6c8d6b82462291434f316e33b4e2d1f23aa563cbd314bb3874433d5fcfc93c5fd9a6faaf72f42d8d7470c7c86e6d49c85ca11961946920a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\pc.exe

Filesize
1.3MB

MD5
452a3258526a6dcf82cdc32a14562e9c

SHA1
d82cc0e76415f9b5ac66b2d5586bcc327091ffe6

SHA256
64764d4a45cbbc7b852ac792e2c40034c1bbfaf7726702d00f97e405b9e83129

SHA512
9fea47753c03dc7b821d9b9024350845878199bc892c71b5af9ee8aa076aef89e15ff36e8c0425f3acaa95c11ab271652a456ff5d0719ef9b5a36c9aff4e0e35

Download Submit
memory/1192-79-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2060-74-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/2060-44-0x0000000000D80000-0x000000000109F000-memory.dmp

Filesize
3.1MB

Download
memory/2060-45-0x0000000000D80000-0x000000000109F000-memory.dmp

Filesize
3.1MB

Download
memory/2060-46-0x0000000000D80000-0x000000000109F000-memory.dmp

Filesize
3.1MB

Download
memory/2060-43-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/2192-24-0x0000000002A80000-0x0000000002BE4000-memory.dmp

Filesize
1.4MB

Download
memory/2192-1-0x0000000001680000-0x0000000001CF9000-memory.dmp

Filesize
6.5MB

Download
memory/2192-1665-0x0000000001000000-0x0000000001678A42-memory.dmp

Filesize
6.5MB

Download
memory/2192-1663-0x0000000001680000-0x0000000001CF9000-memory.dmp

Filesize
6.5MB

Download
memory/2192-5-0x0000000001680000-0x0000000001CF9000-memory.dmp

Filesize
6.5MB

Download
memory/2192-0-0x0000000001000000-0x0000000001678A42-memory.dmp

Filesize
6.5MB

Download
memory/2192-2-0x0000000001680000-0x0000000001CF9000-memory.dmp

Filesize
6.5MB

Download
memory/2192-23-0x0000000002A80000-0x0000000002BE4000-memory.dmp

Filesize
1.4MB

Download
memory/2192-6-0x0000000001000000-0x0000000001678A42-memory.dmp

Filesize
6.5MB

Download
memory/2192-75-0x0000000001000000-0x0000000001678A42-memory.dmp

Filesize
6.5MB

Download
memory/2192-3-0x0000000001673000-0x0000000001674000-memory.dmp

Filesize
4KB

Download
memory/2192-76-0x0000000001680000-0x0000000001CF9000-memory.dmp

Filesize
6.5MB

Download
memory/2192-60-0x0000000002F60000-0x00000000031B4000-memory.dmp

Filesize
2.3MB

Download
memory/2192-4-0x0000000001000000-0x0000000001678A42-memory.dmp

Filesize
6.5MB

Download
memory/2192-61-0x0000000002F60000-0x00000000031B4000-memory.dmp

Filesize
2.3MB

Download
memory/2224-77-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/2224-1662-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/2224-78-0x0000000010410000-0x000000001042E000-memory.dmp

Filesize
120KB

Download
memory/2432-32-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2740-63-0x0000000000CB0000-0x0000000000F04000-memory.dmp

Filesize
2.3MB

Download
memory/2740-64-0x0000000000CB0000-0x0000000000F04000-memory.dmp

Filesize
2.3MB

Download
memory/2740-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2740-1661-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3004-25-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/3004-26-0x0000000000B00000-0x0000000000C64000-memory.dmp

Filesize
1.4MB

Download
memory/3004-48-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/3004-31-0x0000000006290000-0x0000000006292000-memory.dmp

Filesize
8KB

Download
memory/3004-42-0x0000000006C20000-0x0000000006F3F000-memory.dmp

Filesize
3.1MB

Download
memory/3004-41-0x0000000006C20000-0x0000000006F3F000-memory.dmp

Filesize
3.1MB

Download
memory/3004-29-0x00000000045A0000-0x00000000045A2000-memory.dmp

Filesize
8KB

Download
memory/3584-1664-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/3584-3245-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download