cded0d1fb8f8892a03c3e345491b91a6a74d478b15d0b944ee1577d410c445ac

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
Size

1.8MB
MD5

fd5264cc18e3667fc791b47fca75a7ae
SHA1

a38aba26dd142be6aab2605a38e523cd17bc318b
SHA256

cded0d1fb8f8892a03c3e345491b91a6a74d478b15d0b944ee1577d410c445ac
SHA512

0ca8cf9781660f26fdce5b02637146c2f6fe763c3c6dc0f6c807649f987a2fc6026a1bc315fc6bfe25789cf96af60f257c4ce1d19453e07dfdec8b2ea85936b6
SSDEEP

49152:XXLQ2SbDJKQvvwV968vqeyyt4j6p+kW1OMzlij8HVT:XbQPbDJKr/vF+j66ONYHx

Score

10^/10

aspackv2 discovery evasion persistence themida upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	SERVER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SERVER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	SERVER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	SERVER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	SERVER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	SERVER.EXE

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000173a7-75.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
2884	OIIIII.EXE
284	SERVER.EXE
2428	fservice.exe
764	services.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	OIIIII.EXE

Loads dropped DLL 7 IoCs

pid	Process
284	SERVER.EXE
284	SERVER.EXE
764	services.exe
764	services.exe
2428	fservice.exe
284	SERVER.EXE
1660	WerFault.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2504-0-0x0000000000400000-0x00000000005D1000-memory.dmp	themida
behavioral1/memory/2504-7-0x0000000000400000-0x00000000005D1000-memory.dmp	themida
behavioral1/memory/2504-6-0x0000000000400000-0x00000000005D1000-memory.dmp	themida
behavioral1/files/0x0008000000016c51-20.dat	themida
behavioral1/memory/2504-25-0x0000000000400000-0x00000000005D1000-memory.dmp	themida
behavioral1/memory/2884-24-0x0000000000400000-0x0000000000514000-memory.dmp	themida
behavioral1/memory/2504-22-0x00000000050E0000-0x00000000051F4000-memory.dmp	themida
behavioral1/memory/2884-31-0x0000000000400000-0x0000000000514000-memory.dmp	themida
behavioral1/memory/2884-35-0x0000000000400000-0x0000000000514000-memory.dmp	themida
behavioral1/memory/2884-36-0x0000000000400000-0x0000000000514000-memory.dmp	themida
behavioral1/memory/2884-44-0x0000000000400000-0x0000000000514000-memory.dmp	themida
behavioral1/memory/2884-99-0x0000000004AD0000-0x0000000004CCC000-memory.dmp	themida

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	SERVER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fservice.exe	SERVER.EXE
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	SERVER.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2504	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
2884	OIIIII.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016cec-40.dat	upx
behavioral1/memory/284-47-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2884-46-0x0000000004AD0000-0x0000000004CCC000-memory.dmp	upx
behavioral1/memory/2428-61-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/764-73-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2428-93-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/284-95-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/764-100-0x0000000000400000-0x00000000005FC000-memory.dmp	upx

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\OIIIII.EXE	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
File created	C:\Windows\SERVER.EXE	OIIIII.EXE
File created	C:\Windows\system\sservice.exe	SERVER.EXE
File opened for modification	C:\Windows\system\sservice.exe	SERVER.EXE
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\GODOFREDO.JPG	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
File created	C:\Windows\CSERVER.EXE	OIIIII.EXE
File created	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\COIIIII.EXE	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
File created	C:\Windows\SERVER.EXE.bat	SERVER.EXE
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\CGODOFREDO.JPG	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
File opened for modification	C:\Windows\GODOFREDO.JPG	DllHost.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1660	764	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OIIIII.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2504	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
2884	OIIIII.EXE
764	services.exe
764	services.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2800	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
764	services.exe
764	services.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2884	2504	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2884	2504	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2884	2504	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2884	2504	fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe	31
PID 2884 wrote to memory of 284	2884	OIIIII.EXE	32
PID 2884 wrote to memory of 284	2884	OIIIII.EXE	32
PID 2884 wrote to memory of 284	2884	OIIIII.EXE	32
PID 2884 wrote to memory of 284	2884	OIIIII.EXE	32
PID 284 wrote to memory of 2428	284	SERVER.EXE	33
PID 284 wrote to memory of 2428	284	SERVER.EXE	33
PID 284 wrote to memory of 2428	284	SERVER.EXE	33
PID 284 wrote to memory of 2428	284	SERVER.EXE	33
PID 2428 wrote to memory of 764	2428	fservice.exe	34
PID 2428 wrote to memory of 764	2428	fservice.exe	34
PID 2428 wrote to memory of 764	2428	fservice.exe	34
PID 2428 wrote to memory of 764	2428	fservice.exe	34
PID 764 wrote to memory of 1684	764	services.exe	35
PID 764 wrote to memory of 1684	764	services.exe	35
PID 764 wrote to memory of 1684	764	services.exe	35
PID 764 wrote to memory of 1684	764	services.exe	35
PID 764 wrote to memory of 1644	764	services.exe	36
PID 764 wrote to memory of 1644	764	services.exe	36
PID 764 wrote to memory of 1644	764	services.exe	36
PID 764 wrote to memory of 1644	764	services.exe	36
PID 284 wrote to memory of 2916	284	SERVER.EXE	39
PID 284 wrote to memory of 2916	284	SERVER.EXE	39
PID 284 wrote to memory of 2916	284	SERVER.EXE	39
PID 284 wrote to memory of 2916	284	SERVER.EXE	39
PID 1684 wrote to memory of 492	1684	NET.exe	40
PID 1684 wrote to memory of 492	1684	NET.exe	40
PID 1684 wrote to memory of 492	1684	NET.exe	40
PID 1684 wrote to memory of 492	1684	NET.exe	40
PID 1644 wrote to memory of 1044	1644	NET.exe	41
PID 1644 wrote to memory of 1044	1644	NET.exe	41
PID 1644 wrote to memory of 1044	1644	NET.exe	41
PID 1644 wrote to memory of 1044	1644	NET.exe	41
PID 764 wrote to memory of 1660	764	services.exe	43
PID 764 wrote to memory of 1660	764	services.exe	43
PID 764 wrote to memory of 1660	764	services.exe	43
PID 764 wrote to memory of 1660	764	services.exe	43

C:\Users\Admin\AppData\Local\Temp\fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\OIIIII.EXE
  "C:\Windows\OIIIII.EXE"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SERVER.EXE
    "C:\Windows\SERVER.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:284
  - - C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\services.exe
        
        C:\Windows\services.exe -XP
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP srservice
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:492
      - C:\Windows\SysWOW64\NET.exe
        
        NET STOP navapsvc
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 572
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\SERVER.EXE.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GODOFREDO.JPG

Filesize
18KB

MD5
f3d51d16edc99bf0d78b8bebb03f6fb1

SHA1
62a50b6fa9f8cd2876b8c1d45f83e631efcb577e

SHA256
d2f3fdfa6f95e24490ec7c8ce7adf6e936e89cbe0ba79e42c85a0ccabded541d

SHA512
50b12ac00eec861306a498c3d52433308a8471798ad7509f628201eac07cbe6ca780af8f823e0865e7edc84ed5a15bcdd4027e15a16bc0ff055e597c5270eb6e

Download Submit
C:\Windows\OIIIII.EXE

Filesize
1.1MB

MD5
b84e643b3bbf13bfa6fae155c75d99f1

SHA1
8435932b805df10a26b4b8695bd2fd45e4e178e2

SHA256
1b9fe9aafe0ab40eeeb70257fdd0f3de9d763c21fa14e1d8f9fcea5a65476a02

SHA512
0f630a288cf76fb988d6b54ccebd44c550f77b77f1cf67f52d7e46340206009a4b084cac079a53037258931845e7c7e8ffe0a56b087a9f17d42d4daac39f3a71

Download Submit
C:\Windows\SERVER.EXE

Filesize
342KB

MD5
2d23e6ae050ea09c1031e59421ac606e

SHA1
61a88117a4f81ba70a5d4cfe605e2008b6ea224c

SHA256
e96793dca35c3418a08a63d7e7b4f65ba1b80dc2c9347f58ce8a53bc479d97d5

SHA512
6f50229adf442723a4c3836b5cbcd4f80c5b67897f0a973ea58e3d661c3cea1fd6ee01177401edfecdf25e5b71e91df71e5f8c3146260cc738b47ce16e25f2fb

Download Submit
C:\Windows\SERVER.EXE.bat

Filesize
83B

MD5
fa015dd17dd0ed6c4c19b44179c47aed

SHA1
b36624f479515e7190ba7fec0ccf7673ed1914d7

SHA256
b4d38f4a07fc0709a4cb4e8e3c3e48deec83e1b4f002b051469b421f1bef7d89

SHA512
d1096038e78bd3256eb4f4133d389d659c381a25173acb454dcffc113f1b1895436c72f502eaccd32e43d717aa46046ad65ad92d953f11e449f4a40ab765bb07

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
memory/284-95-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/284-59-0x0000000003470000-0x000000000366C000-memory.dmp

Filesize
2.0MB

Download
memory/284-47-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/764-73-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/764-77-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/764-102-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/764-100-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2428-71-0x00000000033E0000-0x00000000035DC000-memory.dmp

Filesize
2.0MB

Download
memory/2428-61-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2428-93-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2504-26-0x0000000000401000-0x000000000040F000-memory.dmp

Filesize
56KB

Download
memory/2504-7-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2504-1-0x0000000000401000-0x000000000040F000-memory.dmp

Filesize
56KB

Download
memory/2504-25-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2504-6-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2504-8-0x00000000050B0000-0x00000000050B2000-memory.dmp

Filesize
8KB

Download
memory/2504-22-0x00000000050E0000-0x00000000051F4000-memory.dmp

Filesize
1.1MB

Download
memory/2504-23-0x00000000050E0000-0x00000000051F4000-memory.dmp

Filesize
1.1MB

Download
memory/2504-0-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2800-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2800-9-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2800-67-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2884-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2884-44-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2884-46-0x0000000004AD0000-0x0000000004CCC000-memory.dmp

Filesize
2.0MB

Download
memory/2884-43-0x0000000000401000-0x000000000040F000-memory.dmp

Filesize
56KB

Download
memory/2884-36-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2884-24-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2884-99-0x0000000004AD0000-0x0000000004CCC000-memory.dmp

Filesize
2.0MB

Download
memory/2884-30-0x0000000000401000-0x000000000040F000-memory.dmp

Filesize
56KB

Download
memory/2884-31-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download