ae618985c729b9ad6e92003da13da3a34b31d25763b53954c5e811ba4d84fd92

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83ef0fe938365af28546abd716308328_JaffaCakes118.exe
Size

646KB
MD5

83ef0fe938365af28546abd716308328
SHA1

a9da57143fc395c6189d3c2b7c1a7b0ec8dde75b
SHA256

ae618985c729b9ad6e92003da13da3a34b31d25763b53954c5e811ba4d84fd92
SHA512

2640978ac737f7c5d3e37859f5183feaa3eb6248ebd686a128c473504ac2dd869bb2f500897cde95fc171626ce5b8f2bd0dbf05da6209d66cd9be16e03030d57
SSDEEP

12288:zQAGmRXONMwbytVvu/j5u8a9iU/YFOFD+dW+fVJbQyXcOPAI0u:zgUOnaVvulnGDBkVJbZPAu

Score

9^/10

collection credential_access discovery spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 20 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2452-37-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2452-33-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2892-48-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft
behavioral1/memory/2892-47-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft
behavioral1/memory/2892-49-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft
behavioral1/memory/2596-57-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2596-56-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2596-58-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2976-65-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2976-67-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2908-79-0x0000000000400000-0x000000000043E000-memory.dmp	Nirsoft
behavioral1/memory/2908-75-0x0000000000400000-0x000000000043E000-memory.dmp	Nirsoft
behavioral1/memory/2908-74-0x0000000000400000-0x000000000043E000-memory.dmp	Nirsoft
behavioral1/memory/2668-85-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2668-87-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2416-90-0x0000000000400000-0x0000000000410000-memory.dmp	Nirsoft
behavioral1/memory/2416-92-0x0000000000400000-0x0000000000410000-memory.dmp	Nirsoft
behavioral1/memory/2416-93-0x0000000000400000-0x0000000000410000-memory.dmp	Nirsoft
behavioral1/memory/688-99-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral1/memory/688-101-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2596-57-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2596-56-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2596-58-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Executes dropped EXE 9 IoCs

pid	Process
1728	svchost.exe
2452	svchost.exe
2892	svchost.exe
2596	svchost.exe
2976	svchost.exe
2908	svchost.exe
2668	svchost.exe
2416	svchost.exe
688	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1728-24-0x0000000000400000-0x00000000005E7000-memory.dmp	upx
behavioral1/memory/1728-39-0x0000000000400000-0x00000000005E7000-memory.dmp	upx
behavioral1/memory/2452-37-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2452-33-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2452-32-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2452-29-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1728-23-0x0000000000400000-0x00000000005E7000-memory.dmp	upx
behavioral1/memory/2892-48-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2892-47-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2892-46-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2892-43-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1728-18-0x0000000000400000-0x00000000005E7000-memory.dmp	upx
behavioral1/memory/1728-15-0x0000000000400000-0x00000000005E7000-memory.dmp	upx
behavioral1/memory/1728-12-0x0000000000400000-0x00000000005E7000-memory.dmp	upx
behavioral1/memory/1728-10-0x0000000000400000-0x00000000005E7000-memory.dmp	upx
behavioral1/memory/2892-49-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2596-52-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2596-57-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2596-56-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2596-55-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2596-58-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2976-61-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2976-63-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2976-64-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2976-65-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2976-67-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2908-71-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2908-79-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2908-75-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2908-74-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2908-73-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2668-82-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2668-84-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2668-86-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2668-85-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2668-87-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/688-98-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/688-96-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/688-99-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/688-101-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1728-104-0x0000000000400000-0x00000000005E7000-memory.dmp	upx
behavioral1/memory/1728-105-0x0000000000400000-0x00000000005E7000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 1728 set thread context of 2452	1728	svchost.exe	31
PID 1728 set thread context of 2892	1728	svchost.exe	32
PID 1728 set thread context of 2596	1728	svchost.exe	33
PID 1728 set thread context of 2976	1728	svchost.exe	34
PID 1728 set thread context of 2908	1728	svchost.exe	35
PID 1728 set thread context of 2668	1728	svchost.exe	36
PID 1728 set thread context of 2416	1728	svchost.exe	37
PID 1728 set thread context of 688	1728	svchost.exe	38

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83ef0fe938365af28546abd716308328_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	svchost.exe
Token: SeDebugPrivilege	2668	svchost.exe
Token: SeRestorePrivilege	2668	svchost.exe
Token: SeBackupPrivilege	2668	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1728	2540	83ef0fe938365af28546abd716308328_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2452	1728	svchost.exe	31
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2892	1728	svchost.exe	32
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2596	1728	svchost.exe	33
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2976	1728	svchost.exe	34
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2908	1728	svchost.exe	35
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2668	1728	svchost.exe	36
PID 1728 wrote to memory of 2416	1728	svchost.exe	37
PID 1728 wrote to memory of 2416	1728	svchost.exe	37

C:\Users\Admin\AppData\Local\Temp\83ef0fe938365af28546abd716308328_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83ef0fe938365af28546abd716308328_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /stext "C:\Users\Admin\AppData\Local\Temp\offc.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /stext "C:\Users\Admin\AppData\Local\Temp\mess.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /stext "C:\Users\Admin\AppData\Local\Temp\mail.dat"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /stext "C:\Users\Admin\AppData\Local\Temp\dial.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /stext "C:\Users\Admin\AppData\Local\Temp\chro.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /stext "C:\Users\Admin\AppData\Local\Temp\iexp.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /stext "C:\Users\Admin\AppData\Local\Temp\ptsg.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /stext "C:\Users\Admin\AppData\Local\Temp\ffox.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dial.dat

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\offc.dat

Filesize
1KB

MD5
f9d09cf53cb7dfe8e8e88a0ea70d683f

SHA1
b98ce83f8a4826b3a02dcbf40c054826320b247b

SHA256
5e75f0aaba4c9a8bbda3e6ce8dfa5bae06f7a255ef04fd9660b64171126c9089

SHA512
f8eaa66ab2dac0aed7c28c50386a850a39664ada1bc444fb71a272c46ad5d1eae6255c5fa357c28f6d0aeddc716832a9e25e8076bcc5596940a559943a235b15

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/688-98-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/688-96-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/688-99-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/688-101-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1728-15-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-24-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-10-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-12-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1728-18-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-23-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-9-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-105-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-104-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1728-39-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2416-93-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-29-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2452-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2452-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2452-37-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2540-3-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-2-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-1-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-0-0x0000000074901000-0x0000000074902000-memory.dmp

Filesize
4KB

Download
memory/2540-42-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-41-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-85-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-48-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-47-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-46-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-43-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-49-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2908-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2976-67-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2976-65-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2976-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2976-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download