1c6c929bda49b3a6438019697ab62fed6657997af5faaa351cd1ad8197ac88ba

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe
Size

676KB
MD5

ac2e6c3ab45d7ec9e42f1a234fe70917
SHA1

ac5ea6e5716df8d77622a7e1e6a716672fdf2542
SHA256

1c6c929bda49b3a6438019697ab62fed6657997af5faaa351cd1ad8197ac88ba
SHA512

98366dfe672555855354f37c87a441f6a396874743b3902b743c49fe9eaa0e424daac232c188992938c0cc770f3380f70b3e47f336cbfe1fd2106cc5ca45d185
SSDEEP

12288:u94Vcog9PElU7QpmQWBteo44a05rOTWXOGhJuq1YjvFXbhkBHRc3aVDLUVi:XNlJcFRMq2jv8BHBgo

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C4A9FE-E10A-E6C4-FC8D-DDE76BBEB8E4}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C4A9FE-E10A-E6C4-FC8D-DDE76BBEB8E4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9C4A9FE-E10A-E6C4-FC8D-DDE76BBEB8E4}	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Active Setup\Installed Components\{B9C4A9FE-E10A-E6C4-FC8D-DDE76BBEB8E4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2860	reg.exe
2816	reg.exe
2760	reg.exe
2856	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe
Token: 1	1980	vbc.exe
Token: SeCreateTokenPrivilege	1980	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1980	vbc.exe
Token: SeLockMemoryPrivilege	1980	vbc.exe
Token: SeIncreaseQuotaPrivilege	1980	vbc.exe
Token: SeMachineAccountPrivilege	1980	vbc.exe
Token: SeTcbPrivilege	1980	vbc.exe
Token: SeSecurityPrivilege	1980	vbc.exe
Token: SeTakeOwnershipPrivilege	1980	vbc.exe
Token: SeLoadDriverPrivilege	1980	vbc.exe
Token: SeSystemProfilePrivilege	1980	vbc.exe
Token: SeSystemtimePrivilege	1980	vbc.exe
Token: SeProfSingleProcessPrivilege	1980	vbc.exe
Token: SeIncBasePriorityPrivilege	1980	vbc.exe
Token: SeCreatePagefilePrivilege	1980	vbc.exe
Token: SeCreatePermanentPrivilege	1980	vbc.exe
Token: SeBackupPrivilege	1980	vbc.exe
Token: SeRestorePrivilege	1980	vbc.exe
Token: SeShutdownPrivilege	1980	vbc.exe
Token: SeDebugPrivilege	1980	vbc.exe
Token: SeAuditPrivilege	1980	vbc.exe
Token: SeSystemEnvironmentPrivilege	1980	vbc.exe
Token: SeChangeNotifyPrivilege	1980	vbc.exe
Token: SeRemoteShutdownPrivilege	1980	vbc.exe
Token: SeUndockPrivilege	1980	vbc.exe
Token: SeSyncAgentPrivilege	1980	vbc.exe
Token: SeEnableDelegationPrivilege	1980	vbc.exe
Token: SeManageVolumePrivilege	1980	vbc.exe
Token: SeImpersonatePrivilege	1980	vbc.exe
Token: SeCreateGlobalPrivilege	1980	vbc.exe
Token: 31	1980	vbc.exe
Token: 32	1980	vbc.exe
Token: 33	1980	vbc.exe
Token: 34	1980	vbc.exe
Token: 35	1980	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1980	vbc.exe
1980	vbc.exe
1980	vbc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1920	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	30
PID 2376 wrote to memory of 1920	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	30
PID 2376 wrote to memory of 1920	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	30
PID 2376 wrote to memory of 1920	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	30
PID 1920 wrote to memory of 2540	1920	csc.exe	32
PID 1920 wrote to memory of 2540	1920	csc.exe	32
PID 1920 wrote to memory of 2540	1920	csc.exe	32
PID 1920 wrote to memory of 2540	1920	csc.exe	32
PID 2376 wrote to memory of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33
PID 2376 wrote to memory of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33
PID 2376 wrote to memory of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33
PID 2376 wrote to memory of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33
PID 2376 wrote to memory of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33
PID 2376 wrote to memory of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33
PID 2376 wrote to memory of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33
PID 2376 wrote to memory of 1980	2376	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	33
PID 1980 wrote to memory of 264	1980	vbc.exe	34
PID 1980 wrote to memory of 264	1980	vbc.exe	34
PID 1980 wrote to memory of 264	1980	vbc.exe	34
PID 1980 wrote to memory of 264	1980	vbc.exe	34
PID 1980 wrote to memory of 2744	1980	vbc.exe	35
PID 1980 wrote to memory of 2744	1980	vbc.exe	35
PID 1980 wrote to memory of 2744	1980	vbc.exe	35
PID 1980 wrote to memory of 2744	1980	vbc.exe	35
PID 1980 wrote to memory of 2836	1980	vbc.exe	37
PID 1980 wrote to memory of 2836	1980	vbc.exe	37
PID 1980 wrote to memory of 2836	1980	vbc.exe	37
PID 1980 wrote to memory of 2836	1980	vbc.exe	37
PID 1980 wrote to memory of 2840	1980	vbc.exe	38
PID 1980 wrote to memory of 2840	1980	vbc.exe	38
PID 1980 wrote to memory of 2840	1980	vbc.exe	38
PID 1980 wrote to memory of 2840	1980	vbc.exe	38
PID 2744 wrote to memory of 2760	2744	cmd.exe	43
PID 2744 wrote to memory of 2760	2744	cmd.exe	43
PID 2744 wrote to memory of 2760	2744	cmd.exe	43
PID 2744 wrote to memory of 2760	2744	cmd.exe	43
PID 264 wrote to memory of 2856	264	cmd.exe	42
PID 264 wrote to memory of 2856	264	cmd.exe	42
PID 264 wrote to memory of 2856	264	cmd.exe	42
PID 264 wrote to memory of 2856	264	cmd.exe	42
PID 2836 wrote to memory of 2816	2836	cmd.exe	44
PID 2836 wrote to memory of 2816	2836	cmd.exe	44
PID 2836 wrote to memory of 2816	2836	cmd.exe	44
PID 2836 wrote to memory of 2816	2836	cmd.exe	44
PID 2840 wrote to memory of 2860	2840	cmd.exe	45
PID 2840 wrote to memory of 2860	2840	cmd.exe	45
PID 2840 wrote to memory of 2860	2840	cmd.exe	45
PID 2840 wrote to memory of 2860	2840	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bfqcodd-.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6F1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB6F0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB6F1.tmp

Filesize
1KB

MD5
dbef7f85339ce5cdcd1c35df4472b4d5

SHA1
a133d4239710420a0410447ff7bd3be5e0dfaa6e

SHA256
803196c6e0e606cc6304f2ec2098563161bcbdd3cc58417426107dda0f5c95d9

SHA512
5897e096b0fecbb46ac0376ad5a1492020d96587a434c28c36a4de93eb46e8ec1c5b353ccd5ba8ff6e3329c0551ec85ee3f754cdaea02305fcedd2b863f5e242

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfqcodd-.dll

Filesize
5KB

MD5
4722173fd1eff150677172d68a75144a

SHA1
e53b28602a71b8317ab4fca2afee0d6fe31b728b

SHA256
21372bdf41c91c8f869a41d16a476339debceb6a21027e15c422915051e60b17

SHA512
4a0ce4b75e0d7bc68058e0839934980107c4af57fe227cef7afb7c4dd78ee0464425a6b2b7d65227332f73b89e42523312dc18ae12c7c3993b3c0f20d91f8cea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB6F0.tmp

Filesize
652B

MD5
8a53881704c04e299c28f4e0115c47d7

SHA1
1bbe756d062beeae97db20aff6babc28c83966f3

SHA256
4fc6be947fdb1686ab77e791d18a2b5ff9e7a8b62d5ebefa774747c243c8e5ae

SHA512
0e772b5433615058d90b9180844f77744d2ae3235a9067c12cbd713dcf8de100a951dcc0ed23bea0269b62d2ad90fc48586a3512950b83697b3cfd0067043993

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bfqcodd-.0.cs

Filesize
4KB

MD5
133eb944405754b31e85f6d10dd9fb0e

SHA1
4dbcc785e30c95d7b187963a511fc90c94771486

SHA256
67d9de518eaa7b129755acfde8ce8771dac635d21181ff1e4620eaeef03fb18b

SHA512
081979cd1e51f09fb0c3fb5a14530bc446513b5238d594d6c345f3d24cb5377f27cdef518f12adec756bae569d9ed3dc5c6ea9ab2375830c41b4f6c38d1cca1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bfqcodd-.cmdline

Filesize
206B

MD5
e97179e90b09f50db7f76b0517619dcf

SHA1
3b11439fb960cd29bc09f82c368a5eeac098f7d4

SHA256
ebd70539f5d97860501742df856237f0698d4353fc5fafa048c7b0c823320de6

SHA512
133b53743fd4522df597ce84c24aa943f84706c6aec5a2264ea151656da03336377ef84f9baa6859940deec50634f902c1307cb6d18023dfbbcb6471ab11e731

Download Submit
memory/1920-15-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-8-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-51-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-18-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-22-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1980-50-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-49-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-34-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-47-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-38-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-39-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-41-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-42-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-43-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-45-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1980-46-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2376-2-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-31-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-0-0x0000000074CF1000-0x0000000074CF2000-memory.dmp

Filesize
4KB

Download
memory/2376-1-0x0000000074CF0000-0x000000007529B000-memory.dmp

Filesize
5.7MB

Download