edb2a4a4b15fca13c27508dc73a350c72ddd8b51a0519c1773cf9de976ce9722

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bd4377e423f3b9ca1358a72270688e1_JaffaCakes118.doc
Size

242KB
MD5

2bd4377e423f3b9ca1358a72270688e1
SHA1

8d09f32e62b2164247d20e94a9d4b4f60cfd195c
SHA256

edb2a4a4b15fca13c27508dc73a350c72ddd8b51a0519c1773cf9de976ce9722
SHA512

d96f277db9d90f700e6f854edd7e3b47c70c063d97e9edc7483165ed36d80e716f3cd298b173ce89f4d090c94c3397a35af09b6d6b90f38fcdc6777e9c234046
SSDEEP

3072:Xvw9HXPJguq73/IKBWyAIdShTt1H5KQlDGydfUXD4c:XvKHXPJi73wAbUlTlDvFUXDp

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?3bLCQ024A1aFLHo4NUx1FVPz9Y3V9dWH:80701805	EXCEL.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3392A8E-C9FA-446A-8458-9F27DB098100}\2.0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{F3392A8E-C9FA-446A-8458-9F27DB098100}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{F3392A8E-C9FA-446A-8458-9F27DB098100}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{F3392A8E-C9FA-446A-8458-9F27DB098100}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1544	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1544	WINWORD.EXE
1544	WINWORD.EXE
3052	EXCEL.EXE
3052	EXCEL.EXE
3052	EXCEL.EXE
3052	EXCEL.EXE
3052	EXCEL.EXE
3052	EXCEL.EXE
3052	EXCEL.EXE
3052	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2712	1544	WINWORD.EXE	32
PID 1544 wrote to memory of 2712	1544	WINWORD.EXE	32
PID 1544 wrote to memory of 2712	1544	WINWORD.EXE	32
PID 1544 wrote to memory of 2712	1544	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2bd4377e423f3b9ca1358a72270688e1_JaffaCakes118.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2712

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EF02D6AB-8F1A-4568-B85A-920607641097}.FSD

Filesize
128KB

MD5
a5f0feffa293097b6be39786d6be2bec

SHA1
3416fcae99f4f2efe41f79b62b09c03a88b33a65

SHA256
bce5ed3f94e873eb56cda00ee82737599568c2912bcee6128e50baf9300e7052

SHA512
5cf948b452f97d3094f7e9ab3badada811ef439df127efedd1e14b55bc8f390a5348b980c1971ac7c453b13e6ed183782692a5c224f1b97559c473f8013ba83c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
50534e4bea7d179f4ba4d7a36c09dda5

SHA1
3308c31fd70e0976a7f4a4cc648d7ac5f7961e70

SHA256
5b25cae624d441f5fa361b4fc481792dd13c6d6d29fd05f04da7862403272557

SHA512
21b89d8c2f3df8afaed659379ce6fbbaa47ba13966a09333566d2468d9a4bc79771ffe9006eb5e79d8e20f5fe5013837ed9a816c7ec110076ad7f43dd8cf9d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AA2EC2C7-62B4-46C4-83C4-D25A1F529A72}

Filesize
128KB

MD5
e7e526175d54acbf682772b6cb0cf184

SHA1
c6150609534e4784175e864f8a6e772db697a987

SHA256
87835622f25495b0fb63599982e7d84c03f0f99ba12605678c473c8e2615d081

SHA512
8fe37720bd52ef0f0608276e01d8478704c86be2b0191f002fefd05acba4ca0cd2293cbafdc51e98760712e02e53c89031a64b46e3ddb067379840d8b6b81a70

Download Submit
memory/1544-0-0x000000002F811000-0x000000002F812000-memory.dmp

Filesize
4KB

Download
memory/1544-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1544-2-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/1544-9-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/1544-11-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-12-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-13-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-15-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-17-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-16-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-20-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-14-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-27-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-29-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-31-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-33-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-38-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-32-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-30-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-28-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-26-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-25-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-24-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-23-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-22-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-21-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-19-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-18-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-53-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-75-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-61-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-60-0x000000000F4D0000-0x000000000F5D0000-memory.dmp

Filesize
1024KB

Download
memory/1544-59-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-58-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-57-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-56-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-55-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-54-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-52-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-51-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-50-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-49-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-48-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-47-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-46-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-45-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-44-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-43-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-42-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-41-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-40-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-39-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-37-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-36-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-35-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-34-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-515-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1544-516-0x000000000F4D0000-0x000000000F5D0000-memory.dmp

Filesize
1024KB

Download