Overview

overview

10

Static

static

3

27fe48d011...18.exe

windows7-x64

10

27fe48d011...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe

  • Size

    912KB

  • MD5

    27fe48d011aafc1dfc3e254c375993d3

  • SHA1

    dd6111e2eee0a1013c020b866538b6da77376164

  • SHA256

    542a1bc1a41eb5b5be6476dbddceb4cac2b316105940ddf44411ca9982c9cd34

  • SHA512

    2df8684700395e2885a51ab3f10c2c36674ce99025a29f19b25b4375ffcecad7bf322470e663ed41bbc3f27a16003959b1ee8f6d52e66557aed00736aec6481e

  • SSDEEP

    24576:Z/DtgSt8NidS0strkNim5Gm/X1aP/SdqJyg5BtOg/xzuw7W:26NiWGxXSdSltOg/xt7W

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 6 IoCs
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:852
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe"
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Users\Admin\u2AzQ8M2.exe
            C:\Users\Admin\u2AzQ8M2.exe
            3⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1912
            • C:\Users\Admin\jiwaw.exe
              "C:\Users\Admin\jiwaw.exe"
              4⤵
              • Modifies visiblity of hidden/system files in Explorer
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:2908
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c tasklist&&del u2AzQ8M2.exe
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2740
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                5⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2720
          • C:\Users\Admin\2suv.exe
            C:\Users\Admin\2suv.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1248
            • C:\Users\Admin\2suv.exe
              "C:\Users\Admin\2suv.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2056
            • C:\Users\Admin\2suv.exe
              "C:\Users\Admin\2suv.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2008
            • C:\Users\Admin\2suv.exe
              "C:\Users\Admin\2suv.exe"
              4⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Suspicious behavior: EnumeratesProcesses
              PID:2072
            • C:\Users\Admin\2suv.exe
              "C:\Users\Admin\2suv.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:580
            • C:\Users\Admin\2suv.exe
              "C:\Users\Admin\2suv.exe"
              4⤵
              • Executes dropped EXE
              PID:688
          • C:\Users\Admin\3suv.exe
            C:\Users\Admin\3suv.exe
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • System policy modification
            PID:948
            • C:\Users\Admin\3suv.exe
              C:\Users\Admin\3suv.exe startC:\Users\Admin\AppData\Roaming\C8A4E\3CD43.exe%C:\Users\Admin\AppData\Roaming\C8A4E
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1544
            • C:\Users\Admin\3suv.exe
              C:\Users\Admin\3suv.exe startC:\Program Files (x86)\4E34E\lvvm.exe%C:\Program Files (x86)\4E34E
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2896
            • C:\Program Files (x86)\LP\43CC\ACF2.tmp
              "C:\Program Files (x86)\LP\43CC\ACF2.tmp"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:3000
          • C:\Users\Admin\4suv.exe
            C:\Users\Admin\4suv.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1852
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2780
          • C:\Users\Admin\5suv.exe
            C:\Users\Admin\5suv.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            PID:2580
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del 27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe
            3⤵
            • Deletes itself
            • System Location Discovery: System Language Discovery
            PID:564
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2060
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1740
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        1⤵
          PID:2380

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Active Setup

        1
        T1547.014

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Active Setup

        1
        T1547.014

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        4
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        3
        T1552

        Credentials In Files

        3
        T1552.001

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Process Discovery

        1
        T1057

        Query Registry

        3
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\C8A4E\E34E.8A4
          Filesize

          300B

          MD5

          a4269ad97e6eda75253df27fc6e8b336

          SHA1

          c5320b7114ccd5ff49f2e345e6bb86e9cf3979a8

          SHA256

          f86d3b8edcb488a474e81195cc7de31e975c6f1866068319b4d41a885a2c6b90

          SHA512

          cbf5814e51da525efe5787b8045320e1578b02ec7d8da877bbd4344d3e8655fa1c4076fa4dd600e4b2084851481ee6428d9f1a027ebd4d8ea0a7efd96de7ff6e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\C8A4E\E34E.8A4
          Filesize

          600B

          MD5

          6de479aac33f072b0d9c6fab2f7dcee8

          SHA1

          9755c49d737e204a78d079f834f05a6860b7e11a

          SHA256

          75e75a85fb4b9b6fabcf7bcbcf81ed10525a0e0e7d63ee712035cd002d669c4b

          SHA512

          28ed71880a0def829acf8482e674ff155d42b4b6a67e8d28ad605785331ec0f6b7561bac960ac31968ad57cb9b33eb503d732f2a849663b80196a0463a78dbc6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\C8A4E\E34E.8A4
          Filesize

          996B

          MD5

          3d37a5afcde554ce2242d50b45a23b6c

          SHA1

          02a37e9d76a8876ba2fb3da32af000462e5688dc

          SHA256

          b3b43467ae4721f4068132310a020672e5640cf81f09109db2d4327135686a13

          SHA512

          50a672aef582eb2776bc47ae2bcb56da8f6f1f9ba56f219b629756235736697e231dfc8367c6e17dfc8d9ab50a2eb3f71100d18699f580047951598715cef766

          Download Submit

        • C:\Users\Admin\AppData\Roaming\C8A4E\E34E.8A4
          Filesize

          1KB

          MD5

          8aa9b0605245851baf651733b8611f3c

          SHA1

          7ed0865b7a8e5df0bff597945ecbee0c523746ab

          SHA256

          0a73ebeded9de6dd917684c985cd690f7532a1f5ee8c10f30eaf30111cf691c2

          SHA512

          607bbdaf31ad9f136ae79af32c03acdb53293e48dd15290636ee002a6fb89fa9dc71059ccebea8b512912d9d530e5977a14e005a314dfab5089a83ca71ffd7a0

          Download Submit

        • C:\Windows\system32\consrv.dll
          Filesize

          52KB

          MD5

          6bf2039986af96d98e08824ac6c383fd

          SHA1

          0bb6384656a96943cb427baa92446f987219a02e

          SHA256

          a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

          SHA512

          fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

          Download Submit

        • \??\globalroot\systemroot\assembly\temp\@
          Filesize

          2KB

          MD5

          43472c5c2ac42c6f2abd1e68f316339b

          SHA1

          55ad16c1894e47d1d6c292547dd2821706f7a098

          SHA256

          a28ce88808028424bde24ffefec25cfae19dcdc0560a3f0567913ea67ec46959

          SHA512

          090f21d283b77d80571b86120cd743f5623d3ee266e772a348d38065059048a448a46fd078bd6da92bd0e87299ccd21be2253119631098e1055c1dc294743a56

          Download Submit

        • \Program Files (x86)\LP\43CC\ACF2.tmp
          Filesize

          100KB

          MD5

          340f18faddf54d738f6e56fe3d8b1d54

          SHA1

          bb247a2f8db305906d558c0c665cc7fd7f86ff67

          SHA256

          4613dcf13e53312b483bfebb7866b9e1111c434beabd1b19a03721ab7a2ec572

          SHA512

          e47e375ec6c8cd07411da44cec52c35c1c28e3fce9d09acf390371ea6b1c456e1d43f87d7b5de6f8ba9b233d11caf25cfd5b4890f356b510688286322d7cab74

          Download Submit

        • \Users\Admin\2suv.exe
          Filesize

          136KB

          MD5

          449cf714ddba0f68cb17bc7f9698949b

          SHA1

          3639bfa3d1563f9a4e2caad9a21074e87b3bfa73

          SHA256

          3c3c398934492f2073aa3a725bff53909ef1bd1a7df82a7467a66d712df12010

          SHA512

          8a08aef0b537395f2503790c7eee4c28986c4fd76670d05018004b3c77011fa4b9d8d3d791ec65ccf6a638f47f007666ea708957776772d5ab6f6d5cae64c81f

          Download Submit

        • \Users\Admin\3suv.exe
          Filesize

          282KB

          MD5

          4cb5a771ce28147c7d06d03c64b9914e

          SHA1

          e9db837f54c6811c1800ace9c1658256a5dd28dc

          SHA256

          1d7e6f955b82e4c9942a7f7bf08a560ddb9509440772c02e07af3dd47cf084de

          SHA512

          68f1300dae97e1c9c3679a09af8a3e17f34ea9342e9d84bff9ce4f52e930061bcbd7cf92bea86d9800588e5752ab6330a4dd46694bbeabc2f9deb5edf0a8d394

          Download Submit

        • \Users\Admin\4suv.exe
          Filesize

          222KB

          MD5

          fccb4b8525eee78e03aa75e9bf4fd80e

          SHA1

          84089b8ddf234421442fd74084b3db06d1da583d

          SHA256

          5cf450a87d80b85a3f2907787515d23be45be55c8795be4920f9a9694421c580

          SHA512

          40e78b73b6c593e124830329b65262999a51706fca2bf49e75e50b77d3a75923ad8d4b5daab63ea9b9dafee39105024609ec98bfbb7d8f86275213f770aaebdc

          Download Submit

        • \Users\Admin\5suv.exe
          Filesize

          120KB

          MD5

          3fe209cb336f44a0719e53e3b9354aa8

          SHA1

          c37a59ba00521c78d81f0e7cf2713b41593e12a3

          SHA256

          19102a9ce99b067f69ec9b53844aa2e29fbed3d53efbb06e24501ee70af60db1

          SHA512

          6e872ee319e1900fa8ab9b257ec3ee62cc2578476bfc2770090255706f5ea685a5034a1c7b857a088547e130c5cc2b35d65aed54df6965a5274e019293065c09

          Download Submit

        • \Users\Admin\jiwaw.exe
          Filesize

          320KB

          MD5

          ef5582548aa9f84e2775c7e9b417b9c9

          SHA1

          780797325d6cdfe314b429a6a6b98cc0eaffe828

          SHA256

          0ff5dd3d78990979f6015aa92478f44df24b66cf7211061cc82b3b13937869fe

          SHA512

          17e54c5a2669891474a6309e86620ef2da9b1f2e456b6a0260dbf9379635ab7e8150f13385d504bb36eb846be22fe15fb9de2093e67dd26c3cc04d6fba4db13c

          Download Submit

        • \Users\Admin\u2AzQ8M2.exe
          Filesize

          320KB

          MD5

          00331c104d4c30069741125bf900e6b4

          SHA1

          95474504693734516528ec9455bb46c371205b65

          SHA256

          241d93de37cc4a47907583ac7d543b7bf64571f1afa1011a58b91b6907897977

          SHA512

          f4c52841a15137fea0d12f024d77701dded3ffc996be05d4ed7804e89d40fa6cbe617b1e36fdaac06bc5edf3087b53c8361ccfd2b716083d345843f6808a82ef

          Download Submit

        • \Windows\assembly\GAC_32\Desktop.ini
          Filesize

          4KB

          MD5

          878f9b6da85cb98fcbdf6abd1730a32f

          SHA1

          343007e658ea541f4680b4edf4513e69e1cc18a6

          SHA256

          75b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d

          SHA512

          5425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293

          Download Submit

        • memory/336-176-0x0000000002320000-0x0000000002331000-memory.dmp

          Filesize

          68KB

          Download

        • memory/580-82-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/580-77-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/580-87-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/580-85-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/580-191-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/580-79-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/948-197-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

          Download

        • memory/1200-161-0x0000000002E90000-0x0000000002E96000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1200-165-0x0000000002E90000-0x0000000002E96000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1200-169-0x0000000002E90000-0x0000000002E96000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1544-199-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

          Download

        • memory/1852-178-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

          Download

        • memory/2008-63-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2008-53-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2008-55-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2008-58-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2008-61-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2008-60-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2008-51-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2056-38-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2056-40-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2056-48-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2056-42-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2056-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2056-45-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2056-101-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2056-47-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2072-66-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2072-182-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2072-64-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2072-73-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2072-74-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2072-84-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2072-68-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2364-192-0x0000000002AD0000-0x00000000031E9000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/2364-189-0x0000000002AD0000-0x00000000031E9000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/2364-207-0x0000000002AD0000-0x00000000031E9000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/2580-190-0x0000000000400000-0x0000000000B19000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/2580-205-0x0000000000400000-0x0000000000B19000-memory.dmp

          Filesize

          7.1MB

          Download