f464e49900bfe2fb8f568a8906b78eeedc5f6582df6b15ec20ce4f7f94cace1a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
Size

1.0MB
MD5

40fb7c28b5bdfadae6b9ee40326b10bc
SHA1

a8ae2b8425d144eb7246c52517072f35330b697e
SHA256

f464e49900bfe2fb8f568a8906b78eeedc5f6582df6b15ec20ce4f7f94cace1a
SHA512

64de6f4565b641c0e746ec60e6ed92d462e63e46c453f583c389dfaea231a03b29f532dbba28b78517d2f6291451d6098e902244257a595bf9b36040657255cb
SSDEEP

24576:uXQKznLsKA4bTlV9vwSfeqsxC3oh4Rj5xrYIKsIq:QFTl7vyYUQ9Kq

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015d48-28.dat	acprotect
behavioral1/files/0x0008000000015d19-35.dat	acprotect

Executes dropped EXE 10 IoCs

pid	Process
2348	IUB.EXE
1296	ashsvc.exe
2848	COM2.EXE
2612	SVCHOSI.EXE
2568	SVCHOSI.EXE
1936	COM1.EXE
2668	ashsvc.exe
1568	IUB.EXE
2324	COM2.EXE
2724	IUB.EXE

Loads dropped DLL 20 IoCs

pid	Process
2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
2348	IUB.EXE
2348	IUB.EXE
1296	ashsvc.exe
1296	ashsvc.exe
2348	IUB.EXE
2348	IUB.EXE
2848	COM2.EXE
2848	COM2.EXE
2348	IUB.EXE
2348	IUB.EXE
2848	COM2.EXE
2848	COM2.EXE
2668	ashsvc.exe
2668	ashsvc.exe
2612	SVCHOSI.EXE
2612	SVCHOSI.EXE
2612	SVCHOSI.EXE
2612	SVCHOSI.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinSix = "C:\\Windows\\System32\\SVCHOSI.EXE"	REG.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File opened for modification	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.exe	SVCHOSI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ashsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ashsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOSI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOSI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2156	REG.exe
2864	REG.exe
1644	REG.exe
2136	REG.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1296	ashsvc.exe
1296	ashsvc.exe
2668	ashsvc.exe
2668	ashsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1296	ashsvc.exe
2668	ashsvc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
2348	IUB.EXE
2848	COM2.EXE
2612	SVCHOSI.EXE
2568	SVCHOSI.EXE
1936	COM1.EXE
1568	IUB.EXE
2324	COM2.EXE
2724	IUB.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2348	2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	31
PID 2520 wrote to memory of 2348	2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	31
PID 2520 wrote to memory of 2348	2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	31
PID 2520 wrote to memory of 2348	2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	31
PID 2348 wrote to memory of 1296	2348	IUB.EXE	32
PID 2348 wrote to memory of 1296	2348	IUB.EXE	32
PID 2348 wrote to memory of 1296	2348	IUB.EXE	32
PID 2348 wrote to memory of 1296	2348	IUB.EXE	32
PID 2520 wrote to memory of 2848	2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2848	2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2848	2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2848	2520	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	33
PID 2348 wrote to memory of 2612	2348	IUB.EXE	34
PID 2348 wrote to memory of 2612	2348	IUB.EXE	34
PID 2348 wrote to memory of 2612	2348	IUB.EXE	34
PID 2348 wrote to memory of 2612	2348	IUB.EXE	34
PID 2848 wrote to memory of 2156	2848	COM2.EXE	35
PID 2848 wrote to memory of 2156	2848	COM2.EXE	35
PID 2848 wrote to memory of 2156	2848	COM2.EXE	35
PID 2848 wrote to memory of 2156	2848	COM2.EXE	35
PID 2848 wrote to memory of 2864	2848	COM2.EXE	37
PID 2848 wrote to memory of 2864	2848	COM2.EXE	37
PID 2848 wrote to memory of 2864	2848	COM2.EXE	37
PID 2848 wrote to memory of 2864	2848	COM2.EXE	37
PID 2848 wrote to memory of 2568	2848	COM2.EXE	38
PID 2848 wrote to memory of 2568	2848	COM2.EXE	38
PID 2848 wrote to memory of 2568	2848	COM2.EXE	38
PID 2848 wrote to memory of 2568	2848	COM2.EXE	38
PID 2848 wrote to memory of 1644	2848	COM2.EXE	40
PID 2848 wrote to memory of 1644	2848	COM2.EXE	40
PID 2848 wrote to memory of 1644	2848	COM2.EXE	40
PID 2848 wrote to memory of 1644	2848	COM2.EXE	40
PID 2848 wrote to memory of 2136	2848	COM2.EXE	41
PID 2848 wrote to memory of 2136	2848	COM2.EXE	41
PID 2848 wrote to memory of 2136	2848	COM2.EXE	41
PID 2848 wrote to memory of 2136	2848	COM2.EXE	41
PID 2348 wrote to memory of 1936	2348	IUB.EXE	44
PID 2348 wrote to memory of 1936	2348	IUB.EXE	44
PID 2348 wrote to memory of 1936	2348	IUB.EXE	44
PID 2348 wrote to memory of 1936	2348	IUB.EXE	44
PID 2848 wrote to memory of 2668	2848	COM2.EXE	45
PID 2848 wrote to memory of 2668	2848	COM2.EXE	45
PID 2848 wrote to memory of 2668	2848	COM2.EXE	45
PID 2848 wrote to memory of 2668	2848	COM2.EXE	45
PID 2612 wrote to memory of 1568	2612	SVCHOSI.EXE	46
PID 2612 wrote to memory of 1568	2612	SVCHOSI.EXE	46
PID 2612 wrote to memory of 1568	2612	SVCHOSI.EXE	46
PID 2612 wrote to memory of 1568	2612	SVCHOSI.EXE	46
PID 2612 wrote to memory of 2324	2612	SVCHOSI.EXE	47
PID 2612 wrote to memory of 2324	2612	SVCHOSI.EXE	47
PID 2612 wrote to memory of 2324	2612	SVCHOSI.EXE	47
PID 2612 wrote to memory of 2324	2612	SVCHOSI.EXE	47
PID 2612 wrote to memory of 2724	2612	SVCHOSI.EXE	48
PID 2612 wrote to memory of 2724	2612	SVCHOSI.EXE	48
PID 2612 wrote to memory of 2724	2612	SVCHOSI.EXE	48
PID 2612 wrote to memory of 2724	2612	SVCHOSI.EXE	48

C:\Users\Admin\AppData\Local\Temp\40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1296
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1568
  - - C:\COM2.EXE
      \\.\C:\COM2.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2724
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1936
- C:\COM2.EXE
  \\.\C:\COM2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v NTLOADER REG_SZ /d "C:\COM2.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2156
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v WinSix /t REG_SZ /d "C:\Windows\System32\SVCHOSI.EXE"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2864
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2568
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1644
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2136
- - C:\Windows\SysWOW64\2026\2045\ashsvc.exe
    C:\Windows\System32\2026\2045\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\COM2.EXE

Filesize
1.0MB

MD5
8581d6935244423c3d34523ab66b6497

SHA1
b59d2a0759ee883ecb7e3a27b92d629e2677ff56

SHA256
eb3554566ec53babb8f4f71a6348f431b620858879cb0025f22bc566adf74e2c

SHA512
861fd11152d271e73fba1a1fd3130280d97a7730bd6d4c72a508a910b20dfc89854a1ef51fe5a24dfc7a9b0349535dd40fd78a59b49d1426865e584ab94e035d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\LIBEAY32.dll

Filesize
494KB

MD5
198d065bd0714482011917307c9ebf46

SHA1
b834c8a5396e59b0fd051dda8849cf9b999aa625

SHA256
acee024120921b1f406d6d7f6d5facf054083ab55993ce4c1ba5ebd6595c7e43

SHA512
489d38aee5d95a9611aff4b170113250d1608e9dc3f496f73018e9980de91f30e58edec0e37d4468f093867d5848044136b0934ee35345daa5a63c73b3e96120

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe

Filesize
125KB

MD5
b33db6ac948c4b6e8d0e5c082b9a303a

SHA1
261fd70fb578503c770d0aaccc4fb861cf9ce7fe

SHA256
b50406caf4b61ca379c6408631d4916f33b87efd3d5f23fb9a7433dd4ff78121

SHA512
24123ecb50205122dbaf595822a5165e2eb370c78bea45122ef1af95c128ced2f1834a5e3d301047bf62bf104cf7038e8e47fa5b926c28f4b29406cdfac17045

Download Submit
\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE

Filesize
1.0MB

MD5
483cb1181b32184be0d2ed2d2411a158

SHA1
b9a6e13623a5865528f07442151af1271f98d820

SHA256
7dcb6a5189e5e7096ab1c6ee35ed93181fbeefda51698bbb481c9332021646a5

SHA512
eec7e9c013445c36c54c3458c190a8defab36b97e68207d40d924dc636f5b1ece8833bd8accb2779989e7de41b9595ecd2e525b7e494f06e7e49fbb9f83cb0be

Download Submit
\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE

Filesize
1.0MB

MD5
44de6feda341b8cab1ad69b6c6d4dad2

SHA1
f85728444c8e2881ab47706d47214412601f909e

SHA256
d35da5be2fe764fb518d7a2fb712d3b9af6db47ff20d692de656f1f6570f09ec

SHA512
6e6aaf0fd5e26f7b5ad97dd4de8b9d483fcc44f0742f8c4cb0f39e0aa2c72728737c233e712a3494c762f4b4004a0bb44dc7ee4643aef62c2834a2cc327cb465

Download Submit
\Users\Admin\AppData\Local\Temp\$Tmp~12026\ssleay32.dll

Filesize
117KB

MD5
c1afdf88451258af208c2eaf90a3e074

SHA1
cc3473b7949e631c4ca0bec21d9430e34e310f2f

SHA256
295331b60026555ea5f27f0e87d5b9d90a5c5fedb656c945d80a3470d4851cc8

SHA512
768330c2bc3ec9ac6803532d833200569442fc5d95193562d8811695b649400eba2ea8166d4f7806a7d9bf6ffbd80c74983f5d05d6698b8f877796f542913609

Download Submit
\Windows\SysWOW64\SVCHOSI.EXE

Filesize
1.0MB

MD5
0ef03767d5999838e8f56310d5d3b155

SHA1
ea6c89cd3483a4f776be2ea4cb79365ea5f58ada

SHA256
d4eb025024ceba0ee56c3d11f3eaa921be918db1b2a811eea263dcb7ec6459ff

SHA512
766c40501fafb35d91d471a0707ff33d7ca762d67daf6e0ad7db1ff993be9b71a78f7c775c506466b64accb2cb5811ce0be02fc675cc872713e88d2e929c9b9f

Download Submit
memory/1296-132-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/1296-40-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1296-54-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1296-32-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1296-37-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/1296-36-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/1296-55-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/1296-46-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/1296-41-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/1296-133-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/1568-174-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1568-177-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1936-136-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1936-103-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1936-130-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2324-195-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2348-30-0x0000000000780000-0x00000000007E3000-memory.dmp

Filesize
396KB

Download
memory/2348-82-0x0000000003F90000-0x00000000042B0000-memory.dmp

Filesize
3.1MB

Download
memory/2348-14-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2348-31-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2348-149-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-74-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-50-0x00000000040B0000-0x00000000043D0000-memory.dmp

Filesize
3.1MB

Download
memory/2520-0-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-48-0x00000000040B0000-0x00000000043D0000-memory.dmp

Filesize
3.1MB

Download
memory/2520-29-0x00000000040B0000-0x00000000043D0000-memory.dmp

Filesize
3.1MB

Download
memory/2520-15-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-66-0x00000000040B0000-0x00000000043D0000-memory.dmp

Filesize
3.1MB

Download
memory/2520-11-0x00000000040B0000-0x00000000043D0000-memory.dmp

Filesize
3.1MB

Download
memory/2568-83-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2568-87-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2612-88-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2612-89-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2612-248-0x0000000003690000-0x00000000039B0000-memory.dmp

Filesize
3.1MB

Download
memory/2612-205-0x0000000003690000-0x00000000039B0000-memory.dmp

Filesize
3.1MB

Download
memory/2612-193-0x0000000003690000-0x00000000039B0000-memory.dmp

Filesize
3.1MB

Download
memory/2612-172-0x0000000003690000-0x00000000039B0000-memory.dmp

Filesize
3.1MB

Download
memory/2612-69-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2668-183-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/2668-184-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/2668-139-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/2668-144-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/2668-141-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2668-142-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/2668-128-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/2668-138-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2724-254-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2724-250-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2848-135-0x0000000000720000-0x0000000000783000-memory.dmp

Filesize
396KB

Download
memory/2848-68-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2848-137-0x0000000000720000-0x0000000000783000-memory.dmp

Filesize
396KB

Download
memory/2848-95-0x0000000003720000-0x0000000003A40000-memory.dmp

Filesize
3.1MB

Download
memory/2848-51-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2848-122-0x0000000000720000-0x0000000000783000-memory.dmp

Filesize
396KB

Download
memory/2848-73-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2848-121-0x0000000000720000-0x0000000000783000-memory.dmp

Filesize
396KB

Download
memory/2848-148-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download