98e4678511d215a6243d6012d9f71ae78d5afcb0f5cc93cf4e3aa403ef716443

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
Size

140KB
MD5

86b7f328217fe15567345321e31f7c5a
SHA1

6f69c40d3918b2e5fc646953bd1e1322acd3f7ee
SHA256

98e4678511d215a6243d6012d9f71ae78d5afcb0f5cc93cf4e3aa403ef716443
SHA512

9986c5a9e88bef527a41a860a8763e71e4468ed9951a37557dee4172db95caec8a892439fb2110f54360ff3102b3b1645d75d7004c744376bc6612082f54b994
SSDEEP

3072:xlJjsSFgXhVq+98ky3bgeMzDlGoTz/xDQJ0oN8:tjsSKXhVq+6k48eMzZXxDQJ0o

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1192	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	bauhi.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{173962AA-4FF9-C008-91E1-8ED8C7E0F42F} = "C:\\Users\\Admin\\AppData\\Roaming\\Axdu\\bauhi.exe"	bauhi.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 1192	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	45

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bauhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7A132A53-00000001.eml:OECustomProperty	WinMail.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe
2240	bauhi.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
Token: SeSecurityPrivilege	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
Token: SeSecurityPrivilege	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2076	WinMail.exe
Token: SeSecurityPrivilege	1192	cmd.exe
Token: SeManageVolumePrivilege	2948	WinMail.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2076	WinMail.exe
2948	WinMail.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2076	WinMail.exe
2948	WinMail.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2076	WinMail.exe
2948	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2016	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2016	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2016	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2016	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	30
PID 2016 wrote to memory of 3064	2016	net.exe	32
PID 2016 wrote to memory of 3064	2016	net.exe	32
PID 2016 wrote to memory of 3064	2016	net.exe	32
PID 2016 wrote to memory of 3064	2016	net.exe	32
PID 2388 wrote to memory of 1216	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	33
PID 2388 wrote to memory of 1216	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	33
PID 2388 wrote to memory of 1216	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	33
PID 2388 wrote to memory of 1216	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	33
PID 1216 wrote to memory of 1244	1216	net.exe	35
PID 1216 wrote to memory of 1244	1216	net.exe	35
PID 1216 wrote to memory of 1244	1216	net.exe	35
PID 1216 wrote to memory of 1244	1216	net.exe	35
PID 2388 wrote to memory of 2240	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	36
PID 2388 wrote to memory of 2240	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	36
PID 2388 wrote to memory of 2240	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	36
PID 2388 wrote to memory of 2240	2388	86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe	36
PID 2240 wrote to memory of 2784	2240	bauhi.exe	37
PID 2240 wrote to memory of 2784	2240	bauhi.exe	37
PID 2240 wrote to memory of 2784	2240	bauhi.exe	37
PID 2240 wrote to memory of 2784	2240	bauhi.exe	37
PID 2784 wrote to memory of 2844	2784	net.exe	39
PID 2784 wrote to memory of 2844	2784	net.exe	39
PID 2784 wrote to memory of 2844	2784	net.exe	39
PID 2784 wrote to memory of 2844	2784	net.exe	39
PID 2240 wrote to memory of 3016	2240	bauhi.exe	40
PID 2240 wrote to memory of 3016	2240	bauhi.exe	40
PID 2240 wrote to memory of 3016	2240	bauhi.exe	40
PID 2240 wrote to memory of 3016	2240	bauhi.exe	40
PID 2240 wrote to memory of 1064	2240	bauhi.exe	18
PID 2240 wrote to memory of 1064	2240	bauhi.exe	18
PID 2240 wrote to memory of 1064	2240	bauhi.exe	18
PID 2240 wrote to memory of 1064	2240	bauhi.exe	18
PID 2240 wrote to memory of 1064	2240	bauhi.exe	18
PID 2240 wrote to memory of 1132	2240	bauhi.exe	19
PID 2240 wrote to memory of 1132	2240	bauhi.exe	19
PID 2240 wrote to memory of 1132	2240	bauhi.exe	19
PID 2240 wrote to memory of 1132	2240	bauhi.exe	19
PID 2240 wrote to memory of 1132	2240	bauhi.exe	19
PID 2240 wrote to memory of 1200	2240	bauhi.exe	21
PID 2240 wrote to memory of 1200	2240	bauhi.exe	21
PID 2240 wrote to memory of 1200	2240	bauhi.exe	21
PID 2240 wrote to memory of 1200	2240	bauhi.exe	21
PID 2240 wrote to memory of 1200	2240	bauhi.exe	21
PID 2240 wrote to memory of 1232	2240	bauhi.exe	25
PID 2240 wrote to memory of 1232	2240	bauhi.exe	25
PID 2240 wrote to memory of 1232	2240	bauhi.exe	25
PID 2240 wrote to memory of 1232	2240	bauhi.exe	25
PID 2240 wrote to memory of 1232	2240	bauhi.exe	25
PID 2240 wrote to memory of 2388	2240	bauhi.exe	29
PID 2240 wrote to memory of 2388	2240	bauhi.exe	29
PID 2240 wrote to memory of 2388	2240	bauhi.exe	29
PID 2240 wrote to memory of 2388	2240	bauhi.exe	29
PID 2240 wrote to memory of 2388	2240	bauhi.exe	29
PID 3016 wrote to memory of 804	3016	net.exe	42
PID 3016 wrote to memory of 804	3016	net.exe	42
PID 3016 wrote to memory of 804	3016	net.exe	42
PID 3016 wrote to memory of 804	3016	net.exe	42
PID 2240 wrote to memory of 2076	2240	bauhi.exe	43
PID 2240 wrote to memory of 2076	2240	bauhi.exe	43
PID 2240 wrote to memory of 2076	2240	bauhi.exe	43

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\86b7f328217fe15567345321e31f7c5a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3064
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:1244
- - C:\Users\Admin\AppData\Roaming\Axdu\bauhi.exe
    "C:\Users\Admin\AppData\Roaming\Axdu\bauhi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
  - - C:\Windows\SysWOW64\net.exe
      net stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf34281a1.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1232

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735

Filesize
558B

MD5
3cc0012f96f8f44164c18d7de05023d9

SHA1
c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

SHA256
2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

SHA512
626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735

Filesize
232B

MD5
f46c86d5099d8716a38f2ed8e6c181cc

SHA1
baf6f6771fa49b1e8ef027e70b66b58671eccc22

SHA256
881b05e8d3657677da1b30eece1d77ec4541685d5d5c835ec84cded37dfaa6a6

SHA512
b2f0d1e0ddb093b105bbc8c21420bdae0062392f8886a3b2e79526feb2d1c88946896c5d65ebb552bad9e48d1bdb84edb3031c3845cbcb2d038cf93982508fd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore

Filesize
2.0MB

MD5
06cda3878e2bdfb17fe5aad2bb5d9201

SHA1
acf6bc39df6094b6dcde9518bb687433792dfd1e

SHA256
f0e74682f9f44599e336a8d63eec2ad9850564b9f7930ae72cfb12de7350a21a

SHA512
3f8cdd720fccd24317a7f9a2a8bd981b5a9c31b85214203e7afda75c343f03faa56ef8996d58b6f6ca34ca992c88e66d4b5b6ec214dcd60ebedbcb00e5f69510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk

Filesize
8KB

MD5
cdb599be05b5e230f95fd964adced14b

SHA1
07956d669be7d8c96d540bf79d42c7ba8179a258

SHA256
2528820f020ab8be06a145fe33358c8f4729ee94b2341c6a0d3591831bc60361

SHA512
3da353f739a402c6726b3a95b4136e5acb824b5abcc41bb8822edddca7513c347f4b5d41c5c437526180e1aa15cc21638bc2f6246dd4b55a9dcbc2cceb06b584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
d7f59bbdbc7f72cf2b471ad4a8b51e1f

SHA1
730d5a82616d1954e7d10cd8a033b554c9deb42b

SHA256
ce24323a0b3388fd439d68b9099aa31cdec2cb89fac54e384fb8a36faba5d1e3

SHA512
eb8cc36366b6b6a2a826bfac082cc65b7edcd337a3fb12ffc016642a9d8f9e066df9107a0e3d8d54cce6d9333b224755f9df667cf50db07279c38f6594aa90c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
0ee8b12b49f2b8dc2e48259e9343b496

SHA1
8b8c1ccc8ab942897b0621710b831d36a2f392f8

SHA256
7ba81a9c9ef042c13a027c19e650466b866b50cba5ca4ff1329c1985036438f9

SHA512
822988acf9f6e64060b8b8b33df7791567788f61b65896332b5705661d78def89fd73965c4f9463abf1f04a82db6811fe7eda3690ae9f8c809e2562f7b382e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
2bf93bb022b33e16d678497010019f7b

SHA1
c003eb1c6fc3641f5eaf60df7636a0d400dfef43

SHA256
f1bac22a4abbb0b2834c3939569a9a71b1b7daca9ca31f482a24e01e5b934230

SHA512
57897a9f789a87f3f2cff18de83272db6ba96471a556d2acf10ac88c8837211e387e140ebfb740e0e38441af4c72797c57a3c6879b38697ed9e1764b07f4d364

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE041.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpf34281a1.bat

Filesize
271B

MD5
d9063731a511f290e7d18567d5cc2efd

SHA1
3410fae29582eab6ac510f77e9f444578e6b65b4

SHA256
2eebe521e70c2c27f18c9ac3ab17cb010cfb1d541f293a989e3c3174153334a1

SHA512
adb55cbc294ac7eca0420377530bdfcd782d4b927ed81ca6aa4229baf3a7faf803c0a9aa3c658ca14c436401a58e7feffd219c54bc130c294314b2dffb0beab5

Download Submit
C:\Users\Admin\AppData\Roaming\Ynal\vuge.kel

Filesize
380B

MD5
aa7a60dd2d210d9e301e3c939ea49d47

SHA1
77c5887c4cf2408b81139fafcab3e39bdeca7f4b

SHA256
4b20721f15007cafa921eca090b849769bac811fd8a06d8637b5cda31f6087f9

SHA512
f3d63eba6c75df9fa46d84773416bdcd77d8ae4cc3eb6c927600c7a4b9575305ebd83ee6cebfd3fb7fa8b0a8b99709a4258813e96a1aff0193f93cd26f331d49

Download Submit
\Users\Admin\AppData\Roaming\Axdu\bauhi.exe

Filesize
140KB

MD5
b488bfd94c559ad8aa06a709531052af

SHA1
9d60a2421ef9332ec95266b637a28c0f018d4184

SHA256
3f98f4da5a152010dcb4b712f9da186317d9fee9adb2e1756b11cb078f5b13d4

SHA512
e46ad0a25024589946a336dbb925b6b943b7879a26aa7daf2d74e892655add80abc11c87ffe0fd775203316a23280495272ebb94cdb66f64defed5b2a758e2ec

Download Submit
memory/1064-14-0x00000000022E0000-0x0000000002308000-memory.dmp

Filesize
160KB

Download
memory/1064-20-0x00000000022E0000-0x0000000002308000-memory.dmp

Filesize
160KB

Download
memory/1064-16-0x00000000022E0000-0x0000000002308000-memory.dmp

Filesize
160KB

Download
memory/1064-18-0x00000000022E0000-0x0000000002308000-memory.dmp

Filesize
160KB

Download
memory/1064-22-0x00000000022E0000-0x0000000002308000-memory.dmp

Filesize
160KB

Download
memory/1132-26-0x0000000001EA0000-0x0000000001EC8000-memory.dmp

Filesize
160KB

Download
memory/1132-28-0x0000000001EA0000-0x0000000001EC8000-memory.dmp

Filesize
160KB

Download
memory/1132-30-0x0000000001EA0000-0x0000000001EC8000-memory.dmp

Filesize
160KB

Download
memory/1132-32-0x0000000001EA0000-0x0000000001EC8000-memory.dmp

Filesize
160KB

Download
memory/1200-40-0x0000000002E00000-0x0000000002E28000-memory.dmp

Filesize
160KB

Download
memory/1200-36-0x0000000002E00000-0x0000000002E28000-memory.dmp

Filesize
160KB

Download
memory/1200-38-0x0000000002E00000-0x0000000002E28000-memory.dmp

Filesize
160KB

Download
memory/1200-42-0x0000000002E00000-0x0000000002E28000-memory.dmp

Filesize
160KB

Download
memory/1232-46-0x0000000001E50000-0x0000000001E78000-memory.dmp

Filesize
160KB

Download
memory/1232-48-0x0000000001E50000-0x0000000001E78000-memory.dmp

Filesize
160KB

Download
memory/1232-50-0x0000000001E50000-0x0000000001E78000-memory.dmp

Filesize
160KB

Download
memory/1232-52-0x0000000001E50000-0x0000000001E78000-memory.dmp

Filesize
160KB

Download
memory/2240-486-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2240-12-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2388-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-64-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/2388-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-0-0x0000000001F90000-0x00000000021C0000-memory.dmp

Filesize
2.2MB

Download
memory/2388-241-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2388-62-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/2388-73-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-75-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-77-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-60-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/2388-58-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/2388-2-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2388-1-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2388-56-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download