2170b2ae7c1bd75d1465b9d70b9dd90da3bb511f3aed07ca0d263864719c6380

Analysis

max time kernel
135s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 11:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
Size

928KB
MD5

8a40689c25ef37cbe6721c5777f00859
SHA1

814a68571fc544a281c5e096199e559882a1e01f
SHA256

2170b2ae7c1bd75d1465b9d70b9dd90da3bb511f3aed07ca0d263864719c6380
SHA512

1ab8eee4ac793c30787916190b2a3afc86f7c062f371028dc45c928e69c4a138063b5d5b0cd1de4810cdec9ed19624e13c643450493d2b26b746a7a7bb2ccbbb
SSDEEP

24576:VZ8SXWQmXtu/nhfA68NJvhjyR4kKJRi0+4:TvmQ46AjyeZJRi0T

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016ddf-33.dat	acprotect
behavioral1/files/0x00070000000170f2-48.dat	acprotect
behavioral1/files/0x0007000000017131-50.dat	acprotect

Deletes itself 1 IoCs

pid	Process
748	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	PrstService.exe

Loads dropped DLL 5 IoCs

pid	Process
824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
2904	PrstService.exe
2904	PrstService.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016ddf-33.dat	upx
behavioral1/files/0x00070000000170f2-48.dat	upx
behavioral1/files/0x0007000000017131-50.dat	upx
behavioral1/memory/2904-72-0x0000000003230000-0x0000000003254000-memory.dmp	upx
behavioral1/memory/2904-71-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/memory/824-68-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/memory/824-81-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/memory/2904-98-0x0000000010000000-0x000000001012A000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PrstService.exe	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PrstService.exe	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PrstService.dll	PrstService.exe
File opened for modification	C:\Windows\SysWOW64\PrstService.dll	PrstService.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\Exmlrpc.fne	PrstService.exe
File created	C:\Program Files\Internet Explorer\krnln.fnr	PrstService.exe
File opened for modification	C:\Program Files\Internet Explorer\krnln.fnr	PrstService.exe
File created	C:\Program Files\Internet Explorer\IJL105.DLL	PrstService.exe
File opened for modification	C:\Program Files\Internet Explorer\IJL105.DLL	PrstService.exe
File created	C:\Program Files\Internet Explorer\dp1.fne	PrstService.exe
File opened for modification	C:\Program Files\Internet Explorer\dp1.fne	PrstService.exe
File created	C:\Program Files\Internet Explorer\Exmlrpc.fne	PrstService.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\PrstService.jpg	PrstService.exe
File opened for modification	C:\Windows\Fonts\PrstService.jpg	PrstService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrstService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "NO"	PrstService.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F008A411-57D7-11EF-9F09-428107983482} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429538910"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
2904	PrstService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
2904	PrstService.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2904	824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe	30
PID 824 wrote to memory of 2904	824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe	30
PID 824 wrote to memory of 2904	824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe	30
PID 824 wrote to memory of 2904	824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2680	2904	PrstService.exe	31
PID 2904 wrote to memory of 2680	2904	PrstService.exe	31
PID 2904 wrote to memory of 2680	2904	PrstService.exe	31
PID 2904 wrote to memory of 2680	2904	PrstService.exe	31
PID 2680 wrote to memory of 1768	2680	IEXPLORE.EXE	32
PID 2680 wrote to memory of 1768	2680	IEXPLORE.EXE	32
PID 2680 wrote to memory of 1768	2680	IEXPLORE.EXE	32
PID 2680 wrote to memory of 1768	2680	IEXPLORE.EXE	32
PID 824 wrote to memory of 748	824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe	33
PID 824 wrote to memory of 748	824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe	33
PID 824 wrote to memory of 748	824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe	33
PID 824 wrote to memory of 748	824	8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe	33
PID 2904 wrote to memory of 2680	2904	PrstService.exe	31

C:\Users\Admin\AppData\Local\Temp\8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a40689c25ef37cbe6721c5777f00859_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\PrstService.exe
  C:\Windows\system32\PrstService.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\delus.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a15bedb2b4953837cf044326d5f341a5

SHA1
583755ed335eca84664137e1e62b5b319f194248

SHA256
30d9bceafea54d3b37da7039592b7a3b056cb7097056343289edcdb3ab88529c

SHA512
96198855fcff72ec93826254f4b04f3e673f99948ea16aa54e1d6475e374d25423f263bd48feb652987a849b84a5a6ba1858b4af8f71190f321ea0111789b2d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdef08cade87a14556a20102dd7dd9a2

SHA1
d18d12efbacdffa21467b3f6ef922ec4a55f0570

SHA256
eb4a78047244e5e91cc4cd703a24d6b34464aff3358251b7863b08fa02c3bbdc

SHA512
0447afc94763c23f02784089768768a9784dda4fc42ab22c89c9b4594abf6262e4c1d78cd708f29b895184b80d934c8c1f11b9883b002e75b08128fd712ffb64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0959c02df33ecf9e3ab77ca91dcda5ad

SHA1
e7393cebf84250f8255979b783c9131ab0cb1eb4

SHA256
b05ee072ff04a8df46b1792d5eaba92aaf5f695563145e9b842d8044c1eae381

SHA512
89cc03f3f90713691c53a6570041924373218dc52ef8527b8528bb6219386a3f1ff1f2c415bc8957a88c53bddd7fb329b2e02805037c1bc8961cb0ad5e215c3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be19b2e7a8adf555466c25e7ccf423e3

SHA1
b1d13e74b345e3b5c25d3c99622b80a3d827f531

SHA256
cf156b8624023cc90afc3a919ca526311f6583b0967570d30053cc593d7bc88c

SHA512
5e21aeb52b8f1dc7ec018b36230311b48d8d1ed10da819cbb8c9aeb1e58138de786ba416216576398bfedad29719d5586afe1f25b75731a8e0bef2ff1fdfab03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6a10b1715b2a36838fa4d7d6f2d71f8

SHA1
f9f45bbe809d8efb008c76d8cfea47b4a1c65f23

SHA256
39b280bde080159773d44179abb79d62252c108e02f34200e17986b00cba2c07

SHA512
51dfbdaaf08701f3874b86b762a2bb86df78462e4cae2b2fba07bf36d1122941559ba033a6d6dd86b3f56b55e33dde317e80342ddffee85893499dbeeee33f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5308dc6bf0bfe904ebbe6948e5a8af14

SHA1
6815b27716010ef670049423b89251c74c83a947

SHA256
e5eb54c60a0e4a4d1824ec8ed92a34b4ed658638b8c3a4173b1e3c5222090c5e

SHA512
8ac64db5f9bd0b28b630c8e732ca62cfb924106df32741443884f6468bf08d3d07a8b985a90a287859f08364ff24de48e40780b610dfc038cfb082ae438f929e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15be7034ec30abe6c94551b4a4a59224

SHA1
a7a8b0f1fbd0023c25980435d217084686092eca

SHA256
c9d7caae9b8b861eec57ee5ae713ea7fd7b97de83920d2bba175ebcce340bf98

SHA512
4765dcf0fbd4b8a6cf6ccea9a1eb888d75c20be7f209c7747ed9a450131763096a77feee7c350e8fd2edba9d760c652393f23ec33d49207eba7cec0d5f4dc6b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da0ba43a4e17935bc4054a12e45cdcac

SHA1
922d3992d01fa5c096a261cda3200ff0f1ab7a21

SHA256
b7e324d3faf67233247231770fc34ce2488c2358e156d9d3a097193e433a5335

SHA512
99be55edfddb65045fdb4c67ad1aeba0e46e44f4feac4af9306ee6fbd9b2019bc466941132ac5ae2b31eb3244b8b20ae091926700ba7caa8defc790eb2f8115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18B1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
34KB

MD5
387cf1d2f17aff6967f3107773764513

SHA1
b971bcd44988bee744f8133acb032e07d9dcd1db

SHA256
74c55aaee905be674763d679ca05a6baaf93f456b5d8935d6293e523766968c6

SHA512
19a4fb39b2f9863c92d76016290e701fd6bb1aa5d889896666922fd862d5b72b95a97aa27d3d0b3218233ba9dbcb3db147efbf9e61e5be853d4d3672e87bfd5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
56KB

MD5
6649262561fba5d19f8b99dd251b5d02

SHA1
286e2ab6bc2220b3c9a83720c4c612623210e10f

SHA256
824afe6bde1c2890077e9a40c4261a77a1d736429709a45d68ed508581e74771

SHA512
688bd75b1e9661f425a21577063362e609ce496880a4780012317d56075095e5804fb7b849b32fbbea06fbbff5d47a5534113b6613f1a236b2a76cd043bba7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1931.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\delus.bat

Filesize
230B

MD5
51a5da2d123970ff06136d1c34a8618d

SHA1
c73874f2b5deb1a204bfa38f9fbb8147523996f1

SHA256
ec83fab580f8495200d4024295abb989cf10b5cac773fc1e7880be4e566a5a14

SHA512
654f0a72d1a5e6f4f179df489601832d293ad5e7cf3c355fe88ee7457ab1b5e5519889775ae84b31848911ac18ee948617a88f0baafddc2d3a3eefbfe8e67d05

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
406KB

MD5
e79169d47394020f7c893abb840b61bb

SHA1
c5b9c2cbef3d5458b52ebb67461e84432673fb1b

SHA256
11c25cdeb02ac401d913dc48b935a087e32c2d9b7b7c4a5cfdf36e4947e959dc

SHA512
21ca64559082a31e46e28513de762fa2239c521f60b3485bf99926f895f0bf6f63fe2162c3e2eb25705efad22d351e24b8283442f4954ac88bc8c56ef5dc529a

Download Submit
\Windows\SysWOW64\PrstService.exe

Filesize
928KB

MD5
8a40689c25ef37cbe6721c5777f00859

SHA1
814a68571fc544a281c5e096199e559882a1e01f

SHA256
2170b2ae7c1bd75d1465b9d70b9dd90da3bb511f3aed07ca0d263864719c6380

SHA512
1ab8eee4ac793c30787916190b2a3afc86f7c062f371028dc45c928e69c4a138063b5d5b0cd1de4810cdec9ed19624e13c643450493d2b26b746a7a7bb2ccbbb

Download Submit
memory/824-8-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/824-69-0x0000000003420000-0x00000000034B8000-memory.dmp

Filesize
608KB

Download
memory/824-7-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/824-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/824-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/824-4-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/824-3-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/824-32-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-31-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-27-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-26-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-25-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-24-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-9-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/824-23-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-22-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-10-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/824-54-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-11-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/824-12-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/824-1-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/824-46-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-37-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-61-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-59-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/824-2-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/824-21-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-70-0x0000000003420000-0x00000000034B8000-memory.dmp

Filesize
608KB

Download
memory/824-68-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/824-67-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-66-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-65-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-64-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-63-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-62-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/824-13-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/824-83-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/824-82-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/824-81-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/824-20-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-19-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/824-14-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/824-15-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/824-16-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/824-17-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/824-18-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2904-98-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/2904-96-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2904-71-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/2904-72-0x0000000003230000-0x0000000003254000-memory.dmp

Filesize
144KB

Download
memory/2904-47-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download