1c6c929bda49b3a6438019697ab62fed6657997af5faaa351cd1ad8197ac88ba

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe
Size

676KB
MD5

ac2e6c3ab45d7ec9e42f1a234fe70917
SHA1

ac5ea6e5716df8d77622a7e1e6a716672fdf2542
SHA256

1c6c929bda49b3a6438019697ab62fed6657997af5faaa351cd1ad8197ac88ba
SHA512

98366dfe672555855354f37c87a441f6a396874743b3902b743c49fe9eaa0e424daac232c188992938c0cc770f3380f70b3e47f336cbfe1fd2106cc5ca45d185
SSDEEP

12288:u94Vcog9PElU7QpmQWBteo44a05rOTWXOGhJuq1YjvFXbhkBHRc3aVDLUVi:XNlJcFRMq2jv8BHBgo

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C4A9FE-E10A-E6C4-FC8D-DDE76BBEB8E4}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C4A9FE-E10A-E6C4-FC8D-DDE76BBEB8E4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9C4A9FE-E10A-E6C4-FC8D-DDE76BBEB8E4}	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9C4A9FE-E10A-E6C4-FC8D-DDE76BBEB8E4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5076 set thread context of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1212	reg.exe
1204	reg.exe
3264	reg.exe
4508	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe
Token: 1	1508	vbc.exe
Token: SeCreateTokenPrivilege	1508	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1508	vbc.exe
Token: SeLockMemoryPrivilege	1508	vbc.exe
Token: SeIncreaseQuotaPrivilege	1508	vbc.exe
Token: SeMachineAccountPrivilege	1508	vbc.exe
Token: SeTcbPrivilege	1508	vbc.exe
Token: SeSecurityPrivilege	1508	vbc.exe
Token: SeTakeOwnershipPrivilege	1508	vbc.exe
Token: SeLoadDriverPrivilege	1508	vbc.exe
Token: SeSystemProfilePrivilege	1508	vbc.exe
Token: SeSystemtimePrivilege	1508	vbc.exe
Token: SeProfSingleProcessPrivilege	1508	vbc.exe
Token: SeIncBasePriorityPrivilege	1508	vbc.exe
Token: SeCreatePagefilePrivilege	1508	vbc.exe
Token: SeCreatePermanentPrivilege	1508	vbc.exe
Token: SeBackupPrivilege	1508	vbc.exe
Token: SeRestorePrivilege	1508	vbc.exe
Token: SeShutdownPrivilege	1508	vbc.exe
Token: SeDebugPrivilege	1508	vbc.exe
Token: SeAuditPrivilege	1508	vbc.exe
Token: SeSystemEnvironmentPrivilege	1508	vbc.exe
Token: SeChangeNotifyPrivilege	1508	vbc.exe
Token: SeRemoteShutdownPrivilege	1508	vbc.exe
Token: SeUndockPrivilege	1508	vbc.exe
Token: SeSyncAgentPrivilege	1508	vbc.exe
Token: SeEnableDelegationPrivilege	1508	vbc.exe
Token: SeManageVolumePrivilege	1508	vbc.exe
Token: SeImpersonatePrivilege	1508	vbc.exe
Token: SeCreateGlobalPrivilege	1508	vbc.exe
Token: 31	1508	vbc.exe
Token: 32	1508	vbc.exe
Token: 33	1508	vbc.exe
Token: 34	1508	vbc.exe
Token: 35	1508	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1508	vbc.exe
1508	vbc.exe
1508	vbc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 636	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	93
PID 5076 wrote to memory of 636	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	93
PID 5076 wrote to memory of 636	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	93
PID 636 wrote to memory of 2868	636	csc.exe	96
PID 636 wrote to memory of 2868	636	csc.exe	96
PID 636 wrote to memory of 2868	636	csc.exe	96
PID 5076 wrote to memory of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97
PID 5076 wrote to memory of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97
PID 5076 wrote to memory of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97
PID 5076 wrote to memory of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97
PID 5076 wrote to memory of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97
PID 5076 wrote to memory of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97
PID 5076 wrote to memory of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97
PID 5076 wrote to memory of 1508	5076	ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe	97
PID 1508 wrote to memory of 4544	1508	vbc.exe	98
PID 1508 wrote to memory of 4544	1508	vbc.exe	98
PID 1508 wrote to memory of 4544	1508	vbc.exe	98
PID 1508 wrote to memory of 1936	1508	vbc.exe	99
PID 1508 wrote to memory of 1936	1508	vbc.exe	99
PID 1508 wrote to memory of 1936	1508	vbc.exe	99
PID 1508 wrote to memory of 2208	1508	vbc.exe	100
PID 1508 wrote to memory of 2208	1508	vbc.exe	100
PID 1508 wrote to memory of 2208	1508	vbc.exe	100
PID 1508 wrote to memory of 4744	1508	vbc.exe	101
PID 1508 wrote to memory of 4744	1508	vbc.exe	101
PID 1508 wrote to memory of 4744	1508	vbc.exe	101
PID 4544 wrote to memory of 3264	4544	cmd.exe	106
PID 4544 wrote to memory of 3264	4544	cmd.exe	106
PID 4544 wrote to memory of 3264	4544	cmd.exe	106
PID 4744 wrote to memory of 4508	4744	cmd.exe	107
PID 4744 wrote to memory of 4508	4744	cmd.exe	107
PID 4744 wrote to memory of 4508	4744	cmd.exe	107
PID 2208 wrote to memory of 1212	2208	cmd.exe	108
PID 2208 wrote to memory of 1212	2208	cmd.exe	108
PID 2208 wrote to memory of 1212	2208	cmd.exe	108
PID 1936 wrote to memory of 1204	1936	cmd.exe	109
PID 1936 wrote to memory of 1204	1936	cmd.exe	109
PID 1936 wrote to memory of 1204	1936	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac2e6c3ab45d7ec9e42f1a234fe70917_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\27hswll4.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F42.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27hswll4.dll

Filesize
5KB

MD5
c571cd57d7945fcd3d6fa0a592dee854

SHA1
c7434d7663b4868ff003718eeba857e8041144f7

SHA256
5152a350d744a870214381b9a98d6d1248f02c8a03b15529764adad43c7c311a

SHA512
027f6e43cc924ad1e698d531015553c2d54f662dbfd56d373f238f9c75906e792b2701f18c80022ac8e55fbb75e82bff87ab3a3550a11c0145c6ec5c21e70329

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F43.tmp

Filesize
1KB

MD5
9a2d3eb38d886b7a589b0437cdf86561

SHA1
026d936f185f83cb0a1352379bb0fa7a1b3b2131

SHA256
3fd6ea377d2abf085524fe5ac9faa9ccbd54aa9e8688d5d4ee573435968d940e

SHA512
d2f1f598514352e216a8f21c55aaaeb493d8907214ce9864307f4182190284262edaca12e827ff53d64da5aaa8d59ad024d9344bfbbfdbeb624e90d95dcca0e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\27hswll4.0.cs

Filesize
4KB

MD5
133eb944405754b31e85f6d10dd9fb0e

SHA1
4dbcc785e30c95d7b187963a511fc90c94771486

SHA256
67d9de518eaa7b129755acfde8ce8771dac635d21181ff1e4620eaeef03fb18b

SHA512
081979cd1e51f09fb0c3fb5a14530bc446513b5238d594d6c345f3d24cb5377f27cdef518f12adec756bae569d9ed3dc5c6ea9ab2375830c41b4f6c38d1cca1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\27hswll4.cmdline

Filesize
206B

MD5
9f53cc492ed8023aaddeb7e7ee505e4b

SHA1
a4a02a2f73889c513a363dc9800c2044fbe8e1f1

SHA256
08ee837739edff7994505af41596b95bf544886db0e4309a1e70f07aa23c4987

SHA512
ed7959d44afa70e0b385c5c3a3007b5225ffeb90b6e154e9c4cc1f4d99169219ce91aaa034bc5f0230af385269a800a697b4960eaba2caa8d79ddcf275e68f4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5F42.tmp

Filesize
652B

MD5
d05370768caf7c94b9ba33e75fe64d89

SHA1
d1b28d90039b90d5a354cb50e52c9349dfe0c61e

SHA256
f427f8ca0e6e74d888579200bbfbf3c33eb432e9eb4394369d5253047dd33b32

SHA512
4be90cda5af46b81b18cb23bfbdff3fea060a7ee0a87e91d5d6698e03e0831cbb4f642b62161e78fa3718c0157b1264671dc99407cbe59fe20989a5c77816801

Download Submit
memory/636-6-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp

Filesize
2.0MB

Download
memory/1508-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-31-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-19-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp

Filesize
2.0MB

Download
memory/1508-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-26-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp

Filesize
2.0MB

Download
memory/1508-43-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-29-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-33-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-34-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-38-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-39-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-40-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-42-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5076-0-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp

Filesize
2.0MB

Download