Overview

overview

10

Static

static

10

JaffaCakes...57.exe

windows7-x64

10

JaffaCakes...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_00512769a91021a9661bc83d6c246057.exe

  • Size

    812KB

  • MD5

    00512769a91021a9661bc83d6c246057

  • SHA1

    4449e726a0c0835667b3396aec6bacb5c2d2fc78

  • SHA256

    36f923ef3c4c35c130ef407f24ba2c8fe522a721d038bedf4c1bfaf365c57931

  • SHA512

    06c0a37188f4d791c611b44291961043256756ca05de2e513420e706a066bd4fdea2ea132a500255e9e323d7186985155293a0f1548461ff1678e40f2aa663a5

  • SSDEEP

    12288:4YknjLpbBNoLE126lU1tMGjYIFW4+zyZGumGgTtrDJrPsfL4oTO27uqULG1R:4Ykjlbr+8lUCpeZM3BDhPC5u/G

Score
10/10
cycbotmodiloaderponybackdoorcredential_accessdefense_evasiondiscoverypersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 2 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    defense_evasion
  • Modiloader family
    modiloader
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • ModiLoader Second Stage 9 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:864
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00512769a91021a9661bc83d6c246057.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
        JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Users\Admin\bxpTXK8W.exe
          C:\Users\Admin\bxpTXK8W.exe
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1192
          • C:\Users\Admin\queoye.exe
            "C:\Users\Admin\queoye.exe"
            4⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2908
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del bxpTXK8W.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2900
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2756
        • C:\Users\Admin\akhost.exe
          C:\Users\Admin\akhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2944
          • C:\Users\Admin\akhost.exe
            akhost.exe
            4⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            PID:2740
        • C:\Users\Admin\bkhost.exe
          C:\Users\Admin\bkhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Users\Admin\bkhost.exe
            bkhost.exe
            4⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1156
        • C:\Users\Admin\ckhost.exe
          C:\Users\Admin\ckhost.exe
          3⤵
          • Modifies security service
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1996
          • C:\Users\Admin\ckhost.exe
            C:\Users\Admin\ckhost.exe startC:\Users\Admin\AppData\Roaming\D7463\36DBE.exe%C:\Users\Admin\AppData\Roaming\D7463
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:788
          • C:\Users\Admin\ckhost.exe
            C:\Users\Admin\ckhost.exe startC:\Program Files (x86)\63715\lvvm.exe%C:\Program Files (x86)\63715
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1884
          • C:\Program Files (x86)\LP\BEFD\55FD.tmp
            "C:\Program Files (x86)\LP\BEFD\55FD.tmp"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:912
        • C:\Users\Admin\dkhost.exe
          C:\Users\Admin\dkhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2096
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2484
        • C:\Users\Admin\ekhost.exe
          C:\Users\Admin\ekhost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2088
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2320
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:712
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1080
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x5d8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:776

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    5
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    3
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Process Discovery

    1
    T1057

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\LP\BEFD\55FD.tmp
      Filesize

      99KB

      MD5

      1e68864c3deefd4a81f2f505740f09fc

      SHA1

      8a12dea68e9924e27bed3076674ddd5e9448c443

      SHA256

      a25f10f13be9dc44c25c88c0834ffce455e0e7ad0d7e4a32c825120c3a5dc1bf

      SHA512

      60c98b7a8dfaba961363edbac2d58996b246b5a2e472b064173fa501ab06e3b800449e5020252450e73f13e1a59c704e10d778ee972396a19389217b0f0b4bce

      Download Submit

    • C:\Users\Admin\AppData\Roaming\D7463\3715.746
      Filesize

      300B

      MD5

      9dd83cb58099244c7e3ace1c2700a164

      SHA1

      ef6d756d25fd5ea9032434b6a166133814cb3901

      SHA256

      9b75f3487d90c75d07ae83b16b97a65e54a61b1f582a19c2b1e700a41a9316bb

      SHA512

      8ee0567a153a7d5acab58e2cdf7f56e34e339c76a8f64d30850edabdfaa729d2a8de7596768a442ed342191d6eb166fcfafc910f2fe6470b4ef130f9fcb30de1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\D7463\3715.746
      Filesize

      600B

      MD5

      b6067ae264078071f46e70ac136b57ce

      SHA1

      153ab163232aebc3713295fec75dec17b825072f

      SHA256

      f5a6fe1dfc5cafc64b77b2aad35c881d863fb8c0e5520d7aebbc3cf90461eb9c

      SHA512

      3021d5705c9b7aaf286c3f5397df9cfb92286e7a96e7500e33ceb16243ff1485b86444cff5e0fddb0818dc4efcd912d2ec9f8d5f9f5d877c2c759c0fca32a870

      Download Submit

    • C:\Users\Admin\AppData\Roaming\D7463\3715.746
      Filesize

      996B

      MD5

      df23812d44905d2162a8bfed24522a04

      SHA1

      937e34467e8fec6d09b86c6bffb46b383e010276

      SHA256

      d1fd0a25942b166f1b2debdf70a1eeccea9976415e87ff42099c634704db703f

      SHA512

      a0fd87d845f133a70467b3aa936df63834200efc8a577d65401f4d3a471cedb4a8c103314c7284b590e5634103a0d7e026eee879d6b27307ac9f49d25eee3cbc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\D7463\3715.746
      Filesize

      1KB

      MD5

      b450cbb1ef3e24f7ba8992f68585427e

      SHA1

      666a34e5682731a79cc975152bcbf34970808622

      SHA256

      6bf58e4220f24d1f97312a7d486c21a1c647e95e9dbbd79fdc88441cf20d86e9

      SHA512

      ffaf5194f209fbbf0511681ca144245be1349e75fa8cb56e42897cfa31185b4013d7556221b6ecdf6e563276e4d622f60b249351d5a007da5f2788c8a732affd

      Download Submit

    • C:\Users\Admin\bxpTXK8W.exe
      Filesize

      184KB

      MD5

      2261c2411c6e581bf496a0be8d46c6d8

      SHA1

      79e709807dff36c8d9936db05c0adcce54a1a290

      SHA256

      20e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418

      SHA512

      622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd

      Download Submit

    • C:\Users\Admin\ekhost.exe
      Filesize

      32KB

      MD5

      49e105d54bf4201e39ef974f9e5c24dc

      SHA1

      70737f6e75e250cfa335f8ef10be4b934f6fa1af

      SHA256

      a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119

      SHA512

      7b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe

      Download Submit

    • \??\globalroot\systemroot\assembly\temp\@
      Filesize

      2KB

      MD5

      8730a9bdb1edd7b81aa151c169757b62

      SHA1

      fdc24e8cfc0b7c2cd6a8c649c9c452d4ac42ebd8

      SHA256

      7d56ababfcd7d5924c7cff39dc9b8b3d707487b38dee37b6cfe9bb4cbca4d9b8

      SHA512

      2aa92616aadded33844050521efb264b2cc923cc9fdfd0c5949d807793a4113ebd5cceceba5d3ed116488a688eaa8c691e0b2422149c5b4cd9e9f8adc87b12af

      Download Submit

    • \Users\Admin\akhost.exe
      Filesize

      229KB

      MD5

      2c895814249b3630f5ef87aef065a6d2

      SHA1

      785a02f3a3c958fb2f3fa7ce26860b65da34939d

      SHA256

      cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a

      SHA512

      14e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c

      Download Submit

    • \Users\Admin\bkhost.exe
      Filesize

      122KB

      MD5

      6adba45c3cd86e3e4179c2489adc3ed0

      SHA1

      c856828981816a028d9948d4e90e83779ba00cc6

      SHA256

      e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8

      SHA512

      13404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672

      Download Submit

    • \Users\Admin\ckhost.exe
      Filesize

      279KB

      MD5

      b4004c548fec0ae0f7264b509b95e4d8

      SHA1

      6142664dc2b3ce927fecb96fa18a1dbc5219ae8f

      SHA256

      3f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56

      SHA512

      750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90

      Download Submit

    • \Users\Admin\dkhost.exe
      Filesize

      240KB

      MD5

      0a67782f34b335fe42be835ad4542124

      SHA1

      c1838a364f27ed7b8a463edefeabf8d762d1f149

      SHA256

      4f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c

      SHA512

      4dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086

      Download Submit

    • \Users\Admin\queoye.exe
      Filesize

      184KB

      MD5

      b7182690829ca166de1cc3b27e913850

      SHA1

      6937070816378a3db42588f6a19bce2c9bb75224

      SHA256

      e40ca48d7eb37030a1837cbd4d42bfb9f76973fd9b1097a7f41b8ee226e64e1b

      SHA512

      7d34275ce2cf043c0540021038d7511c221b0f7a8f7ada85586705bf2ea8348723cdf23cf9f1b7d12a31777380d33d92c19b2c4bb474403a53f6b053e934467d

      Download Submit

    • \Windows\System32\consrv.dll
      Filesize

      53KB

      MD5

      63e99b675a1337db6d8430195ea3efd2

      SHA1

      1baead2bf8f433dc82f9b2c03fd65ce697a92155

      SHA256

      6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

      SHA512

      f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

      Download Submit

    • \Windows\assembly\GAC_32\Desktop.ini
      Filesize

      4KB

      MD5

      758f90d425814ea5a1d2694e44e7e295

      SHA1

      64d61731255ef2c3060868f92f6b81b4c9b5fe29

      SHA256

      896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433

      SHA512

      11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9

      Download Submit

    • memory/788-171-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/1156-117-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-96-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-95-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-83-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-85-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-81-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-94-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1156-89-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1616-91-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1996-116-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/2096-160-0x00000000003B0000-0x00000000003EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2096-169-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/2096-168-0x00000000003B0000-0x00000000003EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2096-164-0x00000000003B0000-0x00000000003EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2604-10-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2644-2-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2644-12-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2644-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-394-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2644-6-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2644-15-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2644-13-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2644-4-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2644-0-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2644-51-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2740-56-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2740-54-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2740-58-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2740-68-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2740-61-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2740-105-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2740-64-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2740-72-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2944-69-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download