ad40467c37cef7463a5b7c9d3948170b8ae2324e55d6d73e8e6b859228286b37

Analysis

max time kernel
142s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
Size

216KB
MD5

b63bf326cb8776d28e91539dac2c1265
SHA1

2c165a747e2af1e0c760aefa15454ab6c8f12da8
SHA256

ad40467c37cef7463a5b7c9d3948170b8ae2324e55d6d73e8e6b859228286b37
SHA512

290c4f068b06cc58755f9cdc87f1e42b72045021db0ae258bbcaad5c14f077248aff6342ec46bb749f8d322dc94f889082baff77d7532c6079053cc022957459
SSDEEP

3072:jSB5qSR3bSUm4R8WSXB0bXjuz31HWHUtesybqm:jSeUm/WSXAseHbq

Score

10^/10

bootkit discovery evasion persistence upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Dofake.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Dofake.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2280	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000012273-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2628	Dofake.exe

Loads dropped DLL 7 IoCs

pid	Process
2188	regsvr32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2392-0-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/files/0x000c000000012273-5.dat	upx
behavioral1/memory/2280-11-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral1/memory/2280-12-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral1/memory/2392-13-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/2392-33-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/2280-146-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral1/memory/2280-150-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral1/memory/2280-151-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral1/memory/2280-152-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral1/memory/2280-153-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral1/memory/2280-154-0x0000000010000000-0x0000000010028000-memory.dmp	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Dofake.exe
File opened (read-only)	\??\M:	Dofake.exe
File opened (read-only)	\??\E:	Dofake.exe
File opened (read-only)	\??\G:	Dofake.exe
File opened (read-only)	\??\H:	Dofake.exe
File opened (read-only)	\??\I:	Dofake.exe
File opened (read-only)	\??\J:	Dofake.exe
File opened (read-only)	\??\K:	Dofake.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msn6561.dll	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msn6561.dll	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ssshile.dll	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dofake.exe	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Web.ini	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dofake.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\ssshile.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ssshile.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2280	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
2628	Dofake.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2188	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2188	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2188	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2188	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2188	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2188	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2188	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2280	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2280	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2280	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2280	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2280	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2280	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2280	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2628	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	33
PID 2392 wrote to memory of 2628	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	33
PID 2392 wrote to memory of 2628	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	33
PID 2392 wrote to memory of 2628	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	33
PID 2392 wrote to memory of 2616	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2616	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2616	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2616	2392	b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b63bf326cb8776d28e91539dac2c1265_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\ssshile.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2188
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 msn6561.dll , InstallMyDll
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Windows\SysWOW64\Dofake.exe
  C:\Windows\System32\Dofake.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 375519961O57540.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat

Filesize
2KB

MD5
e024defdc3d4878a172df36071b1b928

SHA1
59697a7358c0449376b3fb763633edb890faeb4f

SHA256
88dee481c1410546996e93133fc605cce3c8109b0e6ad77e1004d0949de23056

SHA512
63e3ca4b870fa137e742002a67676ea63f675caa3c596dfe60a6db1e9d8e96431006e462073b105d325f389bccbf6ce17234dfcedc6d615eca3d3836b64713bd

Download Submit
C:\Windows\SysWOW64\Web.ini

Filesize
2KB

MD5
3b9123e58c22dfba46bb70e839cf5b53

SHA1
eff940aaf0a6c435a542b87b2ed825e6d4db739c

SHA256
b8d65ec76ff9eff9dfdec033a126a728b6dce4ac50d2cfab289da1da07d181cd

SHA512
a7ae5f421bb427286557dfcd5f47f3cc3ff9fd20bb674a6f1da74dfdf5295a620dceff6858ddb5ae4adfc2eee5776d82c90f7ddbdb859ba3ba2e0d70c3fe74a7

Download Submit
C:\Windows\SysWOW64\msn6561.dll

Filesize
34KB

MD5
2850424792c45d045064fd20caee9154

SHA1
07575ab6e60ec261d724dad00a952fd376c66a43

SHA256
f04bba4986055df9fadba6356fa4b49cfb08647c46e4d9d67ee4d87ab826758d

SHA512
fae07fc61102eb98d2add60df6a8a2c92dbe5b5b80b1de91e009d1271f07937d95f31d7f05b04a36d2cedf501215c4536d33b3c7f6afc81eb738322a7c96664f

Download Submit
C:\Windows\SysWOW64\ssshile.dll

Filesize
56KB

MD5
d56187f40d666692aafe6573d57eed4f

SHA1
bbc4d3c09668e521408b71bb1a6ea4eaa6a5bb79

SHA256
f8309a95f297d4818e3f8b957f144fe95425f8b467db324f12c19a6fb7b9b436

SHA512
2163d8dbf29a3a4add720b020d4531078b18f09a33f44c7a9ba0a93f46ccd7a79788e7974ec1fcba2fe9b71686cea8b311a0bd848874c5b416863608b5ce1422

Download Submit
\Windows\SysWOW64\Dofake.exe

Filesize
96KB

MD5
a6added823aee4871efe1a4ca8f47a09

SHA1
b39cc6522719748ca0481536e2f1e6405e95567f

SHA256
50b5ddd1e166865865e26fc960faa4e347734c39e632efed1d713d96b93d010b

SHA512
d6e0d9c968059ec9553bcf76d109be7ae373087701cc907a5c260f90d9a4071e64d9f0fa5abecc8fbadb8b7823cf18496fc92c32bf348483b614912296a2da8d

Download Submit
memory/2280-9-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2280-12-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2280-11-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2280-146-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2280-150-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2280-151-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2280-152-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2280-153-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2280-154-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2392-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2392-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2392-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download