677019b82898d51a1b09628b343dde353f0d6769c5becb03f6ef5cddbd4c0dd2

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
Size

1.1MB
MD5

2a859392c6469ad351fd3e19d22e40cc
SHA1

9adfab0b5f862a5dc9e949f261340bf5dac1f513
SHA256

677019b82898d51a1b09628b343dde353f0d6769c5becb03f6ef5cddbd4c0dd2
SHA512

4e94a0d986f0b2802308b3593de91e42844e4fbfb7a2e4ba878df87121fa038be235ede80ec1c37d6ee7ad65c9937bb21dbb1400e230753446ea622e0ccc4735
SSDEEP

24576:TPpOwQoyEvOKdpEcVImZgxUJQB0CQKP+Odrg4XJ5H:jcl36pEcVxo0CPDdEUf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
2704	system34.exe
2884	system34.exe
2784	system34.exe
2652	system34.exe
1340	system34.exe
2856	system34.exe
2680	system34.exe
2848	system34.exe
2840	system34.exe
2128	system34.exe
2196	system34.exe
1620	system34.exe
1516	system34.exe
2452	system34.exe
1780	system34.exe
2316	system34.exe
3068	system34.exe
2988	system34.exe
3004	system34.exe
2648	system34.exe

Loads dropped DLL 21 IoCs

pid	Process
3052	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
3052	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
2704	system34.exe
2884	system34.exe
2884	system34.exe
2652	system34.exe
2652	system34.exe
2856	system34.exe
2856	system34.exe
2848	system34.exe
2848	system34.exe
2128	system34.exe
2128	system34.exe
1620	system34.exe
1620	system34.exe
2452	system34.exe
2452	system34.exe
2316	system34.exe
2316	system34.exe
2988	system34.exe
2988	system34.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File created	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe
File opened for modification	C:\Windows\SysWOW64\system34.exe	system34.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1340	system34.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2704 set thread context of 2884	2704	system34.exe	32
PID 2784 set thread context of 2652	2784	system34.exe	35
PID 1340 set thread context of 2856	1340	system34.exe	37
PID 2680 set thread context of 2848	2680	system34.exe	39
PID 2840 set thread context of 2128	2840	system34.exe	41
PID 2196 set thread context of 1620	2196	system34.exe	43
PID 1516 set thread context of 2452	1516	system34.exe	45
PID 1780 set thread context of 2316	1780	system34.exe	47
PID 3068 set thread context of 2988	3068	system34.exe	49
PID 3004 set thread context of 2648	3004	system34.exe	51

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system34.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
2704	system34.exe
2704	system34.exe
2784	system34.exe
2784	system34.exe
1340	system34.exe
1340	system34.exe
2680	system34.exe
2680	system34.exe
2840	system34.exe
2840	system34.exe
2196	system34.exe
2196	system34.exe
1516	system34.exe
1516	system34.exe
1780	system34.exe
1780	system34.exe
3068	system34.exe
3068	system34.exe
3004	system34.exe
3004	system34.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3052	2072	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2704	3052	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2704	3052	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2704	3052	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2704	3052	2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2704 wrote to memory of 2884	2704	system34.exe	32
PID 2884 wrote to memory of 2784	2884	system34.exe	34
PID 2884 wrote to memory of 2784	2884	system34.exe	34
PID 2884 wrote to memory of 2784	2884	system34.exe	34
PID 2884 wrote to memory of 2784	2884	system34.exe	34
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2784 wrote to memory of 2652	2784	system34.exe	35
PID 2652 wrote to memory of 1340	2652	system34.exe	36
PID 2652 wrote to memory of 1340	2652	system34.exe	36
PID 2652 wrote to memory of 1340	2652	system34.exe	36
PID 2652 wrote to memory of 1340	2652	system34.exe	36
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 1340 wrote to memory of 2856	1340	system34.exe	37
PID 2856 wrote to memory of 2680	2856	system34.exe	38
PID 2856 wrote to memory of 2680	2856	system34.exe	38
PID 2856 wrote to memory of 2680	2856	system34.exe	38
PID 2856 wrote to memory of 2680	2856	system34.exe	38
PID 2680 wrote to memory of 2848	2680	system34.exe	39
PID 2680 wrote to memory of 2848	2680	system34.exe	39
PID 2680 wrote to memory of 2848	2680	system34.exe	39
PID 2680 wrote to memory of 2848	2680	system34.exe	39

C:\Users\Admin\AppData\Local\Temp\2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\system34.exe
    C:\Windows\system32\system34.exe 528 "C:\Users\Admin\AppData\Local\Temp\2a859392c6469ad351fd3e19d22e40cc_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\system34.exe
      C:\Windows\SysWOW64\system34.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\system32\system34.exe 524 "C:\Windows\SysWOW64\system34.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\system34.exe
        
        C:\Windows\SysWOW64\system34.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system34.exe

Filesize
1.1MB

MD5
2a859392c6469ad351fd3e19d22e40cc

SHA1
9adfab0b5f862a5dc9e949f261340bf5dac1f513

SHA256
677019b82898d51a1b09628b343dde353f0d6769c5becb03f6ef5cddbd4c0dd2

SHA512
4e94a0d986f0b2802308b3593de91e42844e4fbfb7a2e4ba878df87121fa038be235ede80ec1c37d6ee7ad65c9937bb21dbb1400e230753446ea622e0ccc4735

Download Submit
\??\c:\users\admin\appdata\local\temp\DE40D026

Filesize
14B

MD5
bbec675ebbfafcbe720fc6b71d4df0c8

SHA1
334494f8aea84029516cf2c579bb864da4ae4dfa

SHA256
432ee047a376cb6856d6981b63e5f68a862c9a501c32eadbffb98f91375e99fe

SHA512
006f0dd575a6d09891166205eef98168ec5822b621b5a73795d3917632fbb0be016dcd88848a0e534a932f0fba4a005083240fc3dfc82919e5fbd755538109f7

Download Submit
memory/1340-73-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1340-64-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1516-140-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1620-128-0x00000000029E0000-0x0000000002DC8000-memory.dmp

Filesize
3.9MB

Download
memory/1620-125-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1780-155-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2072-8-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2072-0-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2128-111-0x0000000002810000-0x0000000002BF8000-memory.dmp

Filesize
3.9MB

Download
memory/2128-108-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2128-112-0x0000000002810000-0x0000000002BF8000-memory.dmp

Filesize
3.9MB

Download
memory/2196-124-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2316-156-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2452-144-0x0000000002A00000-0x0000000002DE8000-memory.dmp

Filesize
3.9MB

Download
memory/2452-141-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2452-138-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2652-54-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2652-57-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2652-61-0x0000000002900000-0x0000000002CE8000-memory.dmp

Filesize
3.9MB

Download
memory/2680-91-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2680-79-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2704-30-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2704-39-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2704-34-0x0000000003AD0000-0x0000000003EB8000-memory.dmp

Filesize
3.9MB

Download
memory/2784-56-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2840-107-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2848-89-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2848-92-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2848-95-0x0000000002960000-0x0000000002D48000-memory.dmp

Filesize
3.9MB

Download
memory/2856-74-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2856-82-0x00000000028E0000-0x0000000002CC8000-memory.dmp

Filesize
3.9MB

Download
memory/2856-78-0x00000000028E0000-0x0000000002CC8000-memory.dmp

Filesize
3.9MB

Download
memory/2884-41-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2884-36-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2884-37-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2884-44-0x00000000029A0000-0x0000000002D88000-memory.dmp

Filesize
3.9MB

Download
memory/2988-170-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3004-183-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/3052-4-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3052-20-0x0000000002920000-0x0000000002D08000-memory.dmp

Filesize
3.9MB

Download
memory/3052-9-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3052-28-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3052-40-0x0000000002920000-0x0000000002D08000-memory.dmp

Filesize
3.9MB

Download
memory/3052-7-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3052-29-0x0000000002920000-0x0000000002D08000-memory.dmp

Filesize
3.9MB

Download
memory/3068-169-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download