Overview

overview

10

Static

static

3

a7545d684e...18.exe

windows7-x64

10

a7545d684e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 10:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7545d684e5e47e47844c6c208f7d2be_JaffaCakes118.exe

  • Size

    283KB

  • MD5

    a7545d684e5e47e47844c6c208f7d2be

  • SHA1

    d5134bbaf675032ed441177ca75653d4506dc668

  • SHA256

    a54233b1c577395def12a412045f9301d02407c61f24bb1b6c6699a7606a9e33

  • SHA512

    62a3712c7147dca049b975438a8693ccf471ece58cf8b50a8697a7618ee5d4f8326863ebf02d0bcb64e4c2b3c02c97436c8c4d880eba9706cc01c07554784adb

  • SSDEEP

    6144:7yBIvQ6xuIO/taCnq0A8RPAAiwv1MSAAI0R/WPa3YdX9vHj4Si:2BIvrQIO/tS3Wiwv1MRAI0pWPaIBxDpi

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 7 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7545d684e5e47e47844c6c208f7d2be_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a7545d684e5e47e47844c6c208f7d2be_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2464
    • C:\Users\Admin\AppData\Local\Temp\a7545d684e5e47e47844c6c208f7d2be_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\a7545d684e5e47e47844c6c208f7d2be_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\712A6\6D852.exe%C:\Users\Admin\AppData\Roaming\712A6
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2244
    • C:\Users\Admin\AppData\Local\Temp\a7545d684e5e47e47844c6c208f7d2be_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\a7545d684e5e47e47844c6c208f7d2be_JaffaCakes118.exe startC:\Program Files (x86)\A6E79\lvvm.exe%C:\Program Files (x86)\A6E79
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1596
    • C:\Program Files (x86)\LP\5287\4D7F.tmp
      "C:\Program Files (x86)\LP\5287\4D7F.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:628
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2428
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1868
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4572
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4300
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2568
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4996
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1996
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:640
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:3996
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2364
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:1104
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3012
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4848
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:764
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4332
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3088
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1224
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Checks SCSI registry key(s)
    PID:2580
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:768
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\LP\5287\4D7F.tmp
    Filesize

    99KB

    MD5

    f2a253e558976d2d90c49d5154ffe1b8

    SHA1

    527acecd863143b49546317bb4611fea134b442b

    SHA256

    d8420ed0c4c492a51f9c7906d590002de6ec86c4b10dad22c33272615a658d84

    SHA512

    0053d0d2169d10a287f2d01ee6d9b3a4182d5f97ef58cdb3fd66d865c6969df1b0a7b72e3be3b2892aaa9b2ec18152f43216b4da9d2b71142fb2cd737e4db88a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
    Filesize

    471B

    MD5

    e183deb97722e288a91aee6ee34e213f

    SHA1

    9b365d4b52a5b130693b86ce80cfe8d467c2281e

    SHA256

    d9eab3f59dab7e6a3073f99b001afa9998bc2bd7be1970f0946565c7ce9a2668

    SHA512

    4525506dd71f59e617e9e1465e2ce971f737b5a3746dfee00e2dafb4fb71ebff2484f3347b8588def1373f0c3bd56681c853f0f659f4ebe4b6e2e6f8a3f5b151

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
    Filesize

    412B

    MD5

    4d229b8fd0176cb33452424362ba7079

    SHA1

    16cd14f418aec661d33218f3e0dc3f408469a8e2

    SHA256

    ed4f0224e031db0e69d177a58fe349a32474d25c91c01aacd43e996ddae6529b

    SHA512

    356fed2277645ce5d5bf5ec829872644ac229a14c9d30d8c42981e28d3e118c1a0737ad0364dfe355872045523735b505622c232b36bc5041f9059e6870140be

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
    Filesize

    2KB

    MD5

    421565e8e70a7c1e9dbcc9c722a54fd5

    SHA1

    eb2e3d4de432927406a7e48154340139de22cb3c

    SHA256

    c47e4409e09a4c8b7b687dc59ad210598a1441d840e905d9098f38ebb5a6f5de

    SHA512

    1ad2127b0394dc3f5ec93c8897f305f839b867bb5cede30676c1a0aacb8b28150f3602e2804e6dad0296412627c77162a5a59a498bbf1cff26cb057cf517457a

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133771760213771345.txt
    Filesize

    76KB

    MD5

    8ef4115f9f52e0e04a2a86b7071b43f1

    SHA1

    dc139e3001249022a4a59812b1dc5f33d8cb379d

    SHA256

    58350e409de3a5a420b8de8e13d8a30c38755530528d21e66e17319af7d3c2c2

    SHA512

    ed952256c66c692288bc3a18a2895a19e0d66db10515fc4ffc0d665ea7c8a36a51830cf7acf53d8cbcafea34eb1c36c6e7176cb5e818f57e1e18d68fa1eaf08d

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FKEP33TV\microsoft.windows[1].xml
    Filesize

    96B

    MD5

    dcfd0f22889d8b3a982fbe019d01d543

    SHA1

    fe866022f3fdf8fba4d3bd366ff0e2683fe58e59

    SHA256

    2337927b5b24c83c8ab37dfc0fe7ddcd832ffb16d0cee5d50344478218893f5b

    SHA512

    11b59e18705c1d95508e298938525f931c12c9010cdc03fad15f5585bc503713670d93739668d886ed9446d528c3dc7ac8cbc8e52198eb85ea6557821a124cc8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\712A6\6E79.12A
    Filesize

    600B

    MD5

    bf48a2301dda9a0db453f4fe46d8d628

    SHA1

    b5c079ee68aaff030198c15c96aea809b7d6315b

    SHA256

    51bc71389e9c1e6619dcbef4a95f92ce2e9e2b07eea08fd3ed021a6156f8b36c

    SHA512

    fa7bf65004fb2271de07289b4364bb3423db339ca588ea9e40d45f8a74599ae45ac37c4e9ad295b65806d136236a51f78661946bb4a3d7e5fbe48bd5eb1ba925

    Download Submit

  • C:\Users\Admin\AppData\Roaming\712A6\6E79.12A
    Filesize

    1KB

    MD5

    103269db737758ae66848e1060b9fbde

    SHA1

    61a8686559476de3e82df9b4243bd9ad4f03288b

    SHA256

    28d8a5aec62479f8c13136b87d238c248bed4e34b0c21a7798e914b675ad2790

    SHA512

    362006f95cf30555d54501709bdc7501a7d314826407e211f97a500918b8f03863f38aac4ea36d291bcd7b8c51cb9698dd293cfb0668b08e45931c4bc14d5aef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\712A6\6E79.12A
    Filesize

    996B

    MD5

    f1976d0e18a02c6cddb45fff4c3e096c

    SHA1

    3a0c9fb7cd4302510eb55eaa94794f97189d511e

    SHA256

    65987aed2f4be2ef9daaada66cc55da6fe7175f45283a02fdf485ca8f9c1aa46

    SHA512

    d045996fdcff8e9db2baf0a3482886662f1f817ca0b58b92d60dda27b1fd73ff35f8af400aca8eeedd7e947c6df433417f7d98f9c29d6ddbc2b1a267c99900b8

    Download Submit

  • memory/628-355-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/640-207-0x000002A566160000-0x000002A566180000-memory.dmp

    Filesize

    128KB

    Download

  • memory/640-192-0x000002A565170000-0x000002A565270000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/640-222-0x000002A566570000-0x000002A566590000-memory.dmp

    Filesize

    128KB

    Download

  • memory/640-197-0x000002A5661A0000-0x000002A5661C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/764-534-0x000001C201380000-0x000001C2013A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/764-523-0x000001C200F70000-0x000001C200F90000-memory.dmp

    Filesize

    128KB

    Download

  • memory/764-511-0x000001C200FB0000-0x000001C200FD0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/764-507-0x000001C200000000-0x000001C200100000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/764-506-0x000001C200000000-0x000001C200100000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1104-359-0x0000023DB7640000-0x0000023DB7740000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1104-376-0x0000023DB8750000-0x0000023DB8770000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1104-387-0x0000023DB8B60000-0x0000023DB8B80000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1104-360-0x0000023DB7640000-0x0000023DB7740000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1104-361-0x0000023DB7640000-0x0000023DB7740000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1104-364-0x0000023DB8790000-0x0000023DB87B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1224-663-0x0000029DEECD0000-0x0000029DEECF0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1224-694-0x0000029DEF2A0000-0x0000029DEF2C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1224-692-0x0000029DEEC90000-0x0000029DEECB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1224-658-0x0000029DEDD70000-0x0000029DEDE70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1596-78-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2244-16-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2244-15-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2244-14-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2464-1-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2464-76-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2464-13-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2464-972-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2464-503-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2464-2-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2464-11-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/3012-504-0x0000000004530000-0x0000000004531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3996-357-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4300-808-0x0000016323B00000-0x0000016323C00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4300-813-0x0000016B25C00000-0x0000016B25C20000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4300-835-0x0000016B25FD0000-0x0000016B25FF0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4300-823-0x0000016B25BC0000-0x0000016B25BE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4332-655-0x0000000004530000-0x0000000004531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4996-191-0x0000000004600000-0x0000000004601000-memory.dmp

    Filesize

    4KB

    Download