f1c17c47cc9f05d5573576e8bf3fb7ba16a05351c7da606e128133d2195e7be0

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe
Size

78KB
MD5

a092c54e333aa6800628dcfcecb439fe
SHA1

6ba81474ca3f99d6c5d5693e719102a80c69bb99
SHA256

f1c17c47cc9f05d5573576e8bf3fb7ba16a05351c7da606e128133d2195e7be0
SHA512

daadbf2ef09baad5236bf0657d0eb7f2512b747a905ef90c73d8db3f5ddfdf386db372d845149f66ff7767ad8b697afaf7566754d315133349258fb04054a28d
SSDEEP

1536:PNAfsZVudPzz4Mdf00/F8vJo5zSH1vfkm4TBsXhMVFTY:PNA0ZVudPzzJW0/Ftzy1v8mOcuTY

Score

10^/10

collection discovery persistence privilege_escalation

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	mstcpmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Shell = "{B5188283-49CE-44AE-87BC-371ACD2223D3}"	mstcpmon.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mstcpmon.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000900000001722f-13.dat	acprotect
behavioral1/files/0x000900000001722b-30.dat	acprotect
behavioral1/memory/1648-66-0x0000000010000000-0x000000001000F000-memory.dmp	acprotect
behavioral1/files/0x000b000000016d89-63.dat	acprotect
behavioral1/memory/1648-137-0x0000000010000000-0x000000001000F000-memory.dmp	acprotect

Deletes itself 1 IoCs

pid	Process
1648	mstcpmon.exe

Executes dropped EXE 4 IoCs

pid	Process
1648	mstcpmon.exe
1724	chkdskw.exe
2300	mstcpmon.exe
576	sfc32.exe

Loads dropped DLL 31 IoCs

pid	Process
2552	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1724	chkdskw.exe
1724	chkdskw.exe
1724	chkdskw.exe
1724	chkdskw.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
2300	mstcpmon.exe
2300	mstcpmon.exe
2300	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
576	sfc32.exe
576	sfc32.exe
576	sfc32.exe
576	sfc32.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sfc32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\mstcpmon.exe	mstcpmon.exe
File opened for modification	C:\Windows\SysWOW64\mslogon.dll	mstcpmon.exe
File created	C:\Windows\SysWOW64\kårnål32.dll	mstcpmon.exe
File opened for modification	C:\Windows\SysWOW64\kårnål32.dll	mstcpmon.exe
File created	\??\c:\windows\SysWOW64\mstcpmon.exe	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\mstcpmon.exe	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswshell.dll	mstcpmon.exe
File opened for modification	C:\Windows\SysWOW64\itstore.dll	mstcpmon.exe
File opened for modification	C:\Windows\SysWOW64\chkdskw.exe	mstcpmon.exe
File opened for modification	C:\Windows\SysWOW64\sfc32.exe	mstcpmon.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Porno, sex, oral, anal cool, awesome!!.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Porno, sex, oral, anal cool, awesome!!.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Porno Screensaver.scr	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Porno pics arhive, xxx.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\WinAmp 5 Pro Keygen Crack Update.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Microsoft Office XP working Crack, Keygen.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Windown Longhorn Beta Leak.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Microsoft Office 2003 Crack, Working!.exe	chkdskw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Microsoft Office 2003 Crack, Working!.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\WinAmp 5 Pro Keygen Crack Update.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Serials.txt.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Opera 8 New!.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\XXX hardcore images.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Matrix 3 Revolution English Subtitles.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Microsoft Office XP working Crack, Keygen.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Porno pics arhive, xxx.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\WinAmp 6 New!.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ACDSee 9.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Ahead Nero 7.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Windows Sourcecode update.doc.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Opera 8 New!.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Matrix 3 Revolution English Subtitles.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Microsoft Office 2003 Crack, Working!.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Serials.txt.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\KAV 5.0.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Kaspersky Antivirus 5.0.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Windows Sourcecode update.doc.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Porno Screensaver.scr	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Ahead Nero 7.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\KAV 5.0.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Kaspersky Antivirus 5.0.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\WinAmp 6 New!.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\Adobe Photoshop 9 full.exe	chkdskw.exe
File created	C:\Program Files\DVD Maker\Shared\ACDSee 9.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Windown Longhorn Beta Leak.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\XXX hardcore images.exe	chkdskw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Adobe Photoshop 9 full.exe	chkdskw.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	mstcpmon.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2004	1648	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstcpmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdskw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstcpmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	mstcpmon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5188283-49CE-44AE-87BC-371ACD2223D3}	mstcpmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5188283-49CE-44AE-87BC-371ACD2223D3}\InProcServer32\ = "mswshell.dll"	mstcpmon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5188283-49CE-44AE-87BC-371ACD2223D3}\InProcServer32	mstcpmon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	mstcpmon.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
1648	mstcpmon.exe
576	sfc32.exe
576	sfc32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	chkdskw.exe
Token: SeDebugPrivilege	1648	mstcpmon.exe
Token: SeDebugPrivilege	1648	mstcpmon.exe
Token: SeDebugPrivilege	1648	mstcpmon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1648	mstcpmon.exe
1648	mstcpmon.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1648	2552	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1648	2552	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1648	2552	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1648	2552	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1648	2552	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1648	2552	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1648	2552	a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe	29
PID 1648 wrote to memory of 1724	1648	mstcpmon.exe	30
PID 1648 wrote to memory of 1724	1648	mstcpmon.exe	30
PID 1648 wrote to memory of 1724	1648	mstcpmon.exe	30
PID 1648 wrote to memory of 1724	1648	mstcpmon.exe	30
PID 1648 wrote to memory of 1724	1648	mstcpmon.exe	30
PID 1648 wrote to memory of 1724	1648	mstcpmon.exe	30
PID 1648 wrote to memory of 1724	1648	mstcpmon.exe	30
PID 1648 wrote to memory of 2300	1648	mstcpmon.exe	31
PID 1648 wrote to memory of 2300	1648	mstcpmon.exe	31
PID 1648 wrote to memory of 2300	1648	mstcpmon.exe	31
PID 1648 wrote to memory of 2300	1648	mstcpmon.exe	31
PID 1648 wrote to memory of 2300	1648	mstcpmon.exe	31
PID 1648 wrote to memory of 2300	1648	mstcpmon.exe	31
PID 1648 wrote to memory of 2300	1648	mstcpmon.exe	31
PID 1648 wrote to memory of 576	1648	mstcpmon.exe	32
PID 1648 wrote to memory of 576	1648	mstcpmon.exe	32
PID 1648 wrote to memory of 576	1648	mstcpmon.exe	32
PID 1648 wrote to memory of 576	1648	mstcpmon.exe	32
PID 1648 wrote to memory of 576	1648	mstcpmon.exe	32
PID 1648 wrote to memory of 576	1648	mstcpmon.exe	32
PID 1648 wrote to memory of 576	1648	mstcpmon.exe	32
PID 1648 wrote to memory of 2004	1648	mstcpmon.exe	33
PID 1648 wrote to memory of 2004	1648	mstcpmon.exe	33
PID 1648 wrote to memory of 2004	1648	mstcpmon.exe	33
PID 1648 wrote to memory of 2004	1648	mstcpmon.exe	33
PID 1648 wrote to memory of 2004	1648	mstcpmon.exe	33
PID 1648 wrote to memory of 2004	1648	mstcpmon.exe	33
PID 1648 wrote to memory of 2004	1648	mstcpmon.exe	33

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sfc32.exe

C:\Users\Admin\AppData\Local\Temp\a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a092c54e333aa6800628dcfcecb439fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- \??\c:\windows\SysWOW64\mstcpmon.exe
  c:\windows\system32\mstcpmon.exe c:\users\admin\appdata\local\temp\a092c54e333aa6800628dcfcecb439fe_jaffacakes118.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in Drivers directory
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1648
- - \??\c:\windows\SysWOW64\chkdskw.exe
    chkdskw.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\SysWOW64\mstcpmon.exe
    C:\Windows\system32\mstcpmon.exe x
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2300
- - \??\c:\windows\SysWOW64\sfc32.exe
    sfc32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 608
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mstcpmon.exe

Filesize
78KB

MD5
a092c54e333aa6800628dcfcecb439fe

SHA1
6ba81474ca3f99d6c5d5693e719102a80c69bb99

SHA256
f1c17c47cc9f05d5573576e8bf3fb7ba16a05351c7da606e128133d2195e7be0

SHA512
daadbf2ef09baad5236bf0657d0eb7f2512b747a905ef90c73d8db3f5ddfdf386db372d845149f66ff7767ad8b697afaf7566754d315133349258fb04054a28d

Download Submit
C:\Windows\win.ini

Filesize
499B

MD5
a47b652d77020cdb16e976a88839ba82

SHA1
82b43d39b6aeeb13fc25df7bd9bae30d5dc8a0bc

SHA256
cfb1988af7ba535bc0908aa420dd412403a8d4d1f207657a5b547576353703c0

SHA512
54b6dc5944d52fc226d3205f95208cc75c6fe755895a25bbaf008a50ad525ee19351c422f2e47af94c9d4e77a882a4a4edc62112538afeafe77df0ad282b48eb

Download Submit
\??\c:\windows\SysWOW64\itstore.dll

Filesize
47KB

MD5
5a5c04f07cc784e1ef4f5e089c3ba6de

SHA1
291dddf9928b1a86356884c7abb3697975cd8ffe

SHA256
f50d6973448407d51b57bd13fe10942aa3d0ffc3f932a15bf7fc4ada6f9376c6

SHA512
a966c8b985cc08f481d2f6ad81437ae7a533a949142640be156f576854a531414c2bb1452c994a4d0d61a929834b0ac36c702610613132a586b51deb4218650e

Download Submit
\Windows\SysWOW64\chkdskw.exe

Filesize
10KB

MD5
b71a61aacd04d1023f2b01a951cf0a33

SHA1
464f9c7dea6f39a0dfa2b519e4baf71231770098

SHA256
8386c796f20224bc86fac22d25b46bb683cb69a83bed01eeeb5af320f45dec9d

SHA512
9aa1dca13adf9f73b1f4d7b3def64f2abfe7dbb5a982b3662b42b894aedcc713f879afce887171577c9e495348a261579230f3c27251cb5e430fa4f5b87d255f

Download Submit
\Windows\SysWOW64\mslogon.dll

Filesize
7KB

MD5
057b07e58b0ade524b5b6c49264ca1b7

SHA1
eb16762c5f117336c1cebe399ba30ea6955edd56

SHA256
9a00329150bab6d238a183b0512cf8258bc5863345cdb04c99bddd01b72cdabf

SHA512
ebaf2b47818de31c1fc2698ad169791e7bd68e03c46f88fbf98e781230bb5f9d5af676eb09d495ff51f1081a60e4dc47ba3f7c673d8eeeef0e3da1b57987e6de

Download Submit
\Windows\SysWOW64\mswshell.dll

Filesize
3KB

MD5
34a5261af15ebfc562a0552ef9e4d060

SHA1
ac1e8c9ff6663c37fd27ce5fc1bc1dc2de7a54d1

SHA256
c2a54ed0039fb603ad7f1aa214d093c8bfcfb24d7b2d3b79499ef229d16d9333

SHA512
777cdfba6d5526d2e0862d992ed93cb19008c69624085f5b105b0d6cc4d87a63afd702464f0a83a79481193b9a96ec92415d981f092601eb6cc4b87007e3b24e

Download Submit
\Windows\SysWOW64\sfc32.exe

Filesize
12KB

MD5
211e066a927f96e027660385d7915add

SHA1
f7cb5a7b9596e4755c088c6afb7177ce45b0f3de

SHA256
9379029a191f51cd032c07ce040b1a1121c4e2e15afa4be2332a8525e707ef0c

SHA512
a532fa9f972230c67556b3809911637183d1d38fd2706b24082e4e145ec04126a37f6f6fbea171cf05d7b807c9d6e884a1116c20ca945f5e18d9a0e502b46bc9

Download Submit
memory/576-112-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/576-109-0x00000000021C0000-0x00000000021F8000-memory.dmp

Filesize
224KB

Download
memory/1648-137-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1648-114-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1648-115-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1648-113-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1648-52-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1648-66-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1648-149-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1648-64-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1648-15-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1724-54-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1724-166-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-57-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1724-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-186-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-32-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1724-150-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-154-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-158-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-162-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-182-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-167-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1724-170-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-174-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1724-178-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2300-73-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2552-5-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download