metasploit | 48e10a914d4e2c754c223e1a6fd2a373c71de262b135a92db790de03944ea85c

Analysis

max time kernel
147s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
Size

410KB
MD5

f5939606bd81a26a63e7d75f1604f512
SHA1

a21c1712f4a8900bcf0017afd3ceb1c15b791fd3
SHA256

48e10a914d4e2c754c223e1a6fd2a373c71de262b135a92db790de03944ea85c
SHA512

7bc4b3da5630a14d2612a4bb2c7a439e4de91ae357ae0db16d132d0eebd872d9f5abed0ec1a8365d4ca2cb4144867048fba9cdbaa5ae8bb8476234570121d24b
SSDEEP

6144:uwdlYcZu3veqrqAcRijtpIYvolrl9g+ymzOLPrnOKIgkKUM/CoFGR34eTmup:uTvFRpIDvv1CTLOLvqCgCj64

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 20 IoCs

pid	Process
4252	peterrr.exe
4048	peterrr.exe
624	peterrr.exe
1064	peterrr.exe
4960	peterrr.exe
2536	peterrr.exe
4064	peterrr.exe
3276	peterrr.exe
464	peterrr.exe
3452	peterrr.exe
5000	peterrr.exe
4176	peterrr.exe
3736	peterrr.exe
1504	peterrr.exe
3324	peterrr.exe
244	peterrr.exe
5056	peterrr.exe
3232	peterrr.exe
4076	peterrr.exe
3348	peterrr.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3316 set thread context of 4324	3316	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	84
PID 4252 set thread context of 4048	4252	peterrr.exe	86
PID 624 set thread context of 1064	624	peterrr.exe	95
PID 4960 set thread context of 2536	4960	peterrr.exe	98
PID 4064 set thread context of 3276	4064	peterrr.exe	101
PID 464 set thread context of 3452	464	peterrr.exe	103
PID 5000 set thread context of 4176	5000	peterrr.exe	105
PID 3736 set thread context of 1504	3736	peterrr.exe	107
PID 3324 set thread context of 244	3324	peterrr.exe	109
PID 5056 set thread context of 3232	5056	peterrr.exe	111
PID 4076 set thread context of 3348	4076	peterrr.exe	113

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 4324	3316	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	84
PID 3316 wrote to memory of 4324	3316	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	84
PID 3316 wrote to memory of 4324	3316	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	84
PID 3316 wrote to memory of 4324	3316	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	84
PID 3316 wrote to memory of 4324	3316	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	84
PID 4324 wrote to memory of 4252	4324	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	85
PID 4324 wrote to memory of 4252	4324	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	85
PID 4324 wrote to memory of 4252	4324	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	85
PID 4252 wrote to memory of 4048	4252	peterrr.exe	86
PID 4252 wrote to memory of 4048	4252	peterrr.exe	86
PID 4252 wrote to memory of 4048	4252	peterrr.exe	86
PID 4252 wrote to memory of 4048	4252	peterrr.exe	86
PID 4252 wrote to memory of 4048	4252	peterrr.exe	86
PID 4048 wrote to memory of 624	4048	peterrr.exe	94
PID 4048 wrote to memory of 624	4048	peterrr.exe	94
PID 4048 wrote to memory of 624	4048	peterrr.exe	94
PID 624 wrote to memory of 1064	624	peterrr.exe	95
PID 624 wrote to memory of 1064	624	peterrr.exe	95
PID 624 wrote to memory of 1064	624	peterrr.exe	95
PID 624 wrote to memory of 1064	624	peterrr.exe	95
PID 624 wrote to memory of 1064	624	peterrr.exe	95
PID 1064 wrote to memory of 4960	1064	peterrr.exe	97
PID 1064 wrote to memory of 4960	1064	peterrr.exe	97
PID 1064 wrote to memory of 4960	1064	peterrr.exe	97
PID 4960 wrote to memory of 2536	4960	peterrr.exe	98
PID 4960 wrote to memory of 2536	4960	peterrr.exe	98
PID 4960 wrote to memory of 2536	4960	peterrr.exe	98
PID 4960 wrote to memory of 2536	4960	peterrr.exe	98
PID 4960 wrote to memory of 2536	4960	peterrr.exe	98
PID 2536 wrote to memory of 4064	2536	peterrr.exe	100
PID 2536 wrote to memory of 4064	2536	peterrr.exe	100
PID 2536 wrote to memory of 4064	2536	peterrr.exe	100
PID 4064 wrote to memory of 3276	4064	peterrr.exe	101
PID 4064 wrote to memory of 3276	4064	peterrr.exe	101
PID 4064 wrote to memory of 3276	4064	peterrr.exe	101
PID 4064 wrote to memory of 3276	4064	peterrr.exe	101
PID 4064 wrote to memory of 3276	4064	peterrr.exe	101
PID 3276 wrote to memory of 464	3276	peterrr.exe	102
PID 3276 wrote to memory of 464	3276	peterrr.exe	102
PID 3276 wrote to memory of 464	3276	peterrr.exe	102
PID 464 wrote to memory of 3452	464	peterrr.exe	103
PID 464 wrote to memory of 3452	464	peterrr.exe	103
PID 464 wrote to memory of 3452	464	peterrr.exe	103
PID 464 wrote to memory of 3452	464	peterrr.exe	103
PID 464 wrote to memory of 3452	464	peterrr.exe	103
PID 3452 wrote to memory of 5000	3452	peterrr.exe	104
PID 3452 wrote to memory of 5000	3452	peterrr.exe	104
PID 3452 wrote to memory of 5000	3452	peterrr.exe	104
PID 5000 wrote to memory of 4176	5000	peterrr.exe	105
PID 5000 wrote to memory of 4176	5000	peterrr.exe	105
PID 5000 wrote to memory of 4176	5000	peterrr.exe	105
PID 5000 wrote to memory of 4176	5000	peterrr.exe	105
PID 5000 wrote to memory of 4176	5000	peterrr.exe	105
PID 4176 wrote to memory of 3736	4176	peterrr.exe	106
PID 4176 wrote to memory of 3736	4176	peterrr.exe	106
PID 4176 wrote to memory of 3736	4176	peterrr.exe	106
PID 3736 wrote to memory of 1504	3736	peterrr.exe	107
PID 3736 wrote to memory of 1504	3736	peterrr.exe	107
PID 3736 wrote to memory of 1504	3736	peterrr.exe	107
PID 3736 wrote to memory of 1504	3736	peterrr.exe	107
PID 3736 wrote to memory of 1504	3736	peterrr.exe	107
PID 1504 wrote to memory of 3324	1504	peterrr.exe	108
PID 1504 wrote to memory of 3324	1504	peterrr.exe	108
PID 1504 wrote to memory of 3324	1504	peterrr.exe	108

C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\peterrr.exe
    C:\Windows\system32\peterrr.exe 1044 "C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\peterrr.exe
      C:\Windows\SysWOW64\peterrr.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1148 "C:\Windows\SysWOW64\peterrr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1124 "C:\Windows\SysWOW64\peterrr.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1124 "C:\Windows\SysWOW64\peterrr.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1124 "C:\Windows\SysWOW64\peterrr.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1120 "C:\Windows\SysWOW64\peterrr.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1124 "C:\Windows\SysWOW64\peterrr.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1120 "C:\Windows\SysWOW64\peterrr.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:244
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1120 "C:\Windows\SysWOW64\peterrr.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 1124 "C:\Windows\SysWOW64\peterrr.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\peterrr.exe

Filesize
410KB

MD5
f5939606bd81a26a63e7d75f1604f512

SHA1
a21c1712f4a8900bcf0017afd3ceb1c15b791fd3

SHA256
48e10a914d4e2c754c223e1a6fd2a373c71de262b135a92db790de03944ea85c

SHA512
7bc4b3da5630a14d2612a4bb2c7a439e4de91ae357ae0db16d132d0eebd872d9f5abed0ec1a8365d4ca2cb4144867048fba9cdbaa5ae8bb8476234570121d24b

Download Submit
memory/244-66-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/244-69-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/244-74-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1064-27-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1064-24-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1064-32-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1064-23-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1064-22-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1504-67-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1504-62-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1504-59-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2536-39-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2536-31-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2536-34-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3232-73-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3232-76-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3232-81-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3276-38-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3276-41-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3276-46-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3348-83-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3348-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3452-45-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3452-48-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3452-53-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4048-14-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4048-25-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4048-13-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4048-18-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4048-12-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4176-52-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4176-60-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4176-55-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4324-17-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4324-3-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4324-2-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4324-0-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4324-1-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download