Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2024, 14:19

General

  • Target

    7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe

  • Size

    404KB

  • MD5

    7f85f00af073eeaba1e19077285ae933

  • SHA1

    8ab10781d4965f97ba6fba83f651aa63b547168a

  • SHA256

    e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984

  • SHA512

    e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6

  • SSDEEP

    6144:+tiKbV4FeQ277LUnc2Emm4FSM1A4N87E/hTOZsSNBMlxUAFvnMB8ZN4Gb/Deg7o9:gi86Q/QnFlA+8FExF0B8ZeYeg7QnNxwa

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 5 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 25 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks for any installed AV software in registry 1 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: Clear Persistence 1 TTPs 5 IoCs

    remove IFEO.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops autorun.inf file 1 TTPs 13 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 22 IoCs
  • UPX packed file 39 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"
    1⤵
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks for any installed AV software in registry
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Indicator Removal: Clear Persistence
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2216
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:884
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo ok
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\com\smss.exe
        C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
        3⤵
        • Executes dropped EXE
        PID:2852
    • \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
      "c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks for any installed AV software in registry
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Indicator Removal: Clear Persistence
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2564
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2560
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2600
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2648
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c echo ok
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2260
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2264
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\com\smss.exe
          C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
          4⤵
          • Executes dropped EXE
          PID:2892
      • C:\Windows\SysWOW64\com\lsass.exe
        "C:\Windows\system32\com\lsass.exe"
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Indicator Removal: Clear Persistence
        • Drops autorun.inf file
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:308
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2884
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2748
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2936
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2392
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1944
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1556
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c echo ok
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1260
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1204
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2248
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2288
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2032
          • C:\Windows\SysWOW64\com\smss.exe
            C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
            5⤵
            • Executes dropped EXE
            PID:2352
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2712
          • C:\Windows\SysWOW64\com\smss.exe
            C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
            5⤵
            • Executes dropped EXE
            PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2216
          • C:\Windows\SysWOW64\com\smss.exe
            C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
            5⤵
            • Executes dropped EXE
            PID:2508
        • C:\Windows\SysWOW64\com\smss.exe
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
          4⤵
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Indicator Removal: Clear Persistence
          • System Location Discovery: System Language Discovery
          PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2772
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1780
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2636
          • C:\Windows\SysWOW64\com\smss.exe
            C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
            5⤵
            • Executes dropped EXE
            PID:2552
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2132
        • C:\Windows\SysWOW64\ping.exe
          ping.exe -f -n 1 www.baidu.com
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3064
      • C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
        "C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"
        3⤵
        • Executes dropped EXE
        PID:836
      • C:\Windows\SysWOW64\com\lsass.exe
        ^c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Checks for any installed AV software in registry
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Indicator Removal: Clear Persistence
        • Drops autorun.inf file
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2040
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3028
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2232
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:940
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:956
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1288
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2568
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c echo ok
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1236
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1884
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4f8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2540

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\NetApi00.sys

          Filesize

          4KB

          MD5

          8e336906e90cb3558fb9704d0921e27a

          SHA1

          59ad8af4982e287954ecf0afaa2f28bc1ba578bc

          SHA256

          7c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897

          SHA512

          0a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24

        • C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

          Filesize

          404KB

          MD5

          7f85f00af073eeaba1e19077285ae933

          SHA1

          8ab10781d4965f97ba6fba83f651aa63b547168a

          SHA256

          e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984

          SHA512

          e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6

        • C:\Windows\SysWOW64\com\netcfg.000

          Filesize

          44KB

          MD5

          d3777f588e34bbc50a1c08d472b94a83

          SHA1

          abcbccde250c3a142347efc32c5a89869ead61f4

          SHA256

          0b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b

          SHA512

          8701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc

        • C:\Windows\SysWOW64\com\smss.exe

          Filesize

          21KB

          MD5

          ecc52a71f452d05a30b9b521d8ed9025

          SHA1

          fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

          SHA256

          f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

          SHA512

          d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

        • \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~

          Filesize

          243KB

          MD5

          1cf46cbf40ec16bef528ebc2fd7f03dc

          SHA1

          54069df6e6d11b93dca22d8461b9588302f912c6

          SHA256

          d2694a4d43613b3f304a23502249e29cb6746cddae79b5a667b5b319c1ae5dbf

          SHA512

          fecce695232c69ff961239f42c9637d2990ba3bbd5fc9d5709eed153e33a66d2caff05f782d5d9afd84957bb1828ea53e683e78ef4c99b382ea335d15eec2dea

        • \Windows\SysWOW64\com\lsass.exe

          Filesize

          80KB

          MD5

          4c17312e44a4000a782a5c71b04b5faa

          SHA1

          47c4c0f3b80f809957ddff48b28211d992f3e9f5

          SHA256

          a059aa3b5462a3d602fe29590dd8ca78fbb9e90f3402a3e41e2688d08d552341

          SHA512

          8ea955e5cdb2ba2cac15018a82b270f3eabce3d311123fc5e39c7b5f3606782a56811086ca4bb10196e9664df88c8d1609fa3bc259cf7dee0fb1ce70cc5a0c14

        • \Windows\SysWOW64\dnsq.dll

          Filesize

          23KB

          MD5

          c08ba4c0a84a6d5dbd2f8c99ecfe7116

          SHA1

          a031a2147851c856eff0161a266e33410aa94604

          SHA256

          7ee24ac81046fc2e214423d816b9f805992a4aa2d9a3f9567699142e69bc863f

          SHA512

          ddd4da03ef846c8addd3e7168c08c3ce8d354c5d82e4dd94903e918338745f5f8ec47cb6688df482e0afd68f28c4fbd2e48a3d2cae52f145cc451a77532d7f01

        • memory/308-99-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-82-0x0000000010000000-0x0000000010012000-memory.dmp

          Filesize

          72KB

        • memory/308-129-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-161-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-157-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-117-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-165-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-153-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-45-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-133-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-169-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-149-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-112-0x0000000000540000-0x000000000054F000-memory.dmp

          Filesize

          60KB

        • memory/308-177-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-181-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-137-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-103-0x0000000010000000-0x0000000010012000-memory.dmp

          Filesize

          72KB

        • memory/308-141-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/308-123-0x0000000000540000-0x000000000054F000-memory.dmp

          Filesize

          60KB

        • memory/308-145-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1780-0-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1780-21-0x0000000002DE0000-0x0000000002E10000-memory.dmp

          Filesize

          192KB

        • memory/1780-23-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1780-20-0x0000000002DE0000-0x0000000002E10000-memory.dmp

          Filesize

          192KB

        • memory/2032-88-0x00000000000B0000-0x00000000000BF000-memory.dmp

          Filesize

          60KB

        • memory/2032-86-0x00000000000B0000-0x00000000000BF000-memory.dmp

          Filesize

          60KB

        • memory/2040-69-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/2040-55-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/2216-104-0x0000000000120000-0x000000000012F000-memory.dmp

          Filesize

          60KB

        • memory/2216-106-0x0000000000120000-0x000000000012F000-memory.dmp

          Filesize

          60KB

        • memory/2352-92-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2508-109-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2552-124-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2636-121-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2696-125-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2696-126-0x0000000010000000-0x0000000010012000-memory.dmp

          Filesize

          72KB

        • memory/2696-116-0x0000000010000000-0x0000000010012000-memory.dmp

          Filesize

          72KB

        • memory/2704-8-0x0000000000160000-0x000000000016F000-memory.dmp

          Filesize

          60KB

        • memory/2704-10-0x0000000000160000-0x000000000016F000-memory.dmp

          Filesize

          60KB

        • memory/2712-100-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2720-101-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2852-15-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2852-12-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2892-35-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2908-22-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/2908-44-0x0000000002CB0000-0x0000000002CE0000-memory.dmp

          Filesize

          192KB

        • memory/2908-57-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB