4da308603ee7384cc04615083a0ec02ed566618a3196f13de31a35f527fc3c42

Analysis

max time kernel
150s
max time network
24s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe
Size

1.7MB
MD5

d6bc59f01e888bfaf9d09c5675e9fcea
SHA1

e68c0c30ce772b709d06a033fc96614e78a48c7f
SHA256

4da308603ee7384cc04615083a0ec02ed566618a3196f13de31a35f527fc3c42
SHA512

87e34788fdfb7443f72a4d760e744a798854b717e24e510de8466579e0f24acf3202afa28daffab07b212b9bc4fbe6e4e1b3327be5304f873a26991d7144ecf7
SSDEEP

24576:okwPtJdftMbHpMcxP1YZ8CxII81QKx/Ng+Afpz5xjHLIB/L1HzN2RJVanv7w/wbL:haUMu1Hxnx/OzHItLEIXvMp8YD6CAn

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kmmacro.exe = "\"C:\\Windows\\system32\\kmmacro.exe \""	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2596	setup.exe
2752	km macro v0.2 - 1841.exe
2896	kmmacro.exe

Loads dropped DLL 14 IoCs

pid	Process
2220	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2596	setup.exe
2596	setup.exe
2896	kmmacro.exe
2896	kmmacro.exe
2896	kmmacro.exe
2896	kmmacro.exe
2752	km macro v0.2 - 1841.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001660d-14.dat	upx
behavioral1/memory/2596-16-0x0000000002640000-0x00000000026F9000-memory.dmp	upx
behavioral1/memory/2752-24-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-52-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-53-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-57-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-61-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-65-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-69-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-73-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-77-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-81-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-85-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-89-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-93-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-97-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-101-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2752-105-0x0000000000400000-0x00000000004B9000-memory.dmp	upx

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2752-52-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-53-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-57-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-61-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-65-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-69-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-73-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-77-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-81-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-85-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-89-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-93-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-97-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-101-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/2752-105-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\km macro v0.2 - 1841.exe	setup.exe
File created	C:\Windows\SysWOW64\kmmacro.exe	setup.exe
File created	C:\Windows\SysWOW64\ntldr.dll	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	km macro v0.2 - 1841.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmmacro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2828	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2596	setup.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2896	kmmacro.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2752	km macro v0.2 - 1841.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2596	setup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe
2752	km macro v0.2 - 1841.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2896	kmmacro.exe
2752	km macro v0.2 - 1841.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2596	2220	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2596	2220	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2596	2220	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2596	2220	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2596	2220	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2596	2220	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2596	2220	d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2752	2596	setup.exe	31
PID 2596 wrote to memory of 2752	2596	setup.exe	31
PID 2596 wrote to memory of 2752	2596	setup.exe	31
PID 2596 wrote to memory of 2752	2596	setup.exe	31
PID 2596 wrote to memory of 2752	2596	setup.exe	31
PID 2596 wrote to memory of 2752	2596	setup.exe	31
PID 2596 wrote to memory of 2752	2596	setup.exe	31
PID 2596 wrote to memory of 2896	2596	setup.exe	32
PID 2596 wrote to memory of 2896	2596	setup.exe	32
PID 2596 wrote to memory of 2896	2596	setup.exe	32
PID 2596 wrote to memory of 2896	2596	setup.exe	32
PID 2596 wrote to memory of 2896	2596	setup.exe	32
PID 2596 wrote to memory of 2896	2596	setup.exe	32
PID 2596 wrote to memory of 2896	2596	setup.exe	32
PID 2596 wrote to memory of 2952	2596	setup.exe	33
PID 2596 wrote to memory of 2952	2596	setup.exe	33
PID 2596 wrote to memory of 2952	2596	setup.exe	33
PID 2596 wrote to memory of 2952	2596	setup.exe	33
PID 2596 wrote to memory of 2952	2596	setup.exe	33
PID 2596 wrote to memory of 2952	2596	setup.exe	33
PID 2596 wrote to memory of 2952	2596	setup.exe	33
PID 2952 wrote to memory of 2796	2952	cmd.exe	35
PID 2952 wrote to memory of 2796	2952	cmd.exe	35
PID 2952 wrote to memory of 2796	2952	cmd.exe	35
PID 2952 wrote to memory of 2796	2952	cmd.exe	35
PID 2952 wrote to memory of 2796	2952	cmd.exe	35
PID 2952 wrote to memory of 2796	2952	cmd.exe	35
PID 2952 wrote to memory of 2796	2952	cmd.exe	35
PID 2796 wrote to memory of 2828	2796	cmd.exe	36
PID 2796 wrote to memory of 2828	2796	cmd.exe	36
PID 2796 wrote to memory of 2828	2796	cmd.exe	36
PID 2796 wrote to memory of 2828	2796	cmd.exe	36
PID 2796 wrote to memory of 2828	2796	cmd.exe	36
PID 2796 wrote to memory of 2828	2796	cmd.exe	36
PID 2796 wrote to memory of 2828	2796	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6bc59f01e888bfaf9d09c5675e9fcea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\km macro v0.2 - 1841.exe
    "C:\Windows\system32\km macro v0.2 - 1841.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\kmmacro.exe
    "C:\Windows\system32\kmmacro.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c syscheck.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V kmmacro.exe /D "\"C:\Windows\system32\kmmacro.exe \"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V kmmacro.exe /D "\"C:\Windows\system32\kmmacro.exe \"" /f
        5⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
163B

MD5
d426ebb74a8cb7aeb5d43470bab4241f

SHA1
8a16cf7ae1ce8d292d3870b6bd7d66e12fe1c8c3

SHA256
8f6f6aa894428e478714e0b1669235ed62d5c7f5290bbb545db026a638459a22

SHA512
fe3aa09bf13c4990ec5b295515f2c42ef6e54bdabe3442cc30998304f5d3a521bde8e1957b469dede88fcd776052034a46b9f9cb582ec6b09b98c0325d5bff42

Download Submit
C:\Windows\SysWOW64\kmmacro.exe

Filesize
237KB

MD5
9f91bb1f5c95527a0d1aaf2f1f268624

SHA1
9d5540dba5559a20c18ad3239030cd4ec703d3a1

SHA256
17c86ca7bed67ffefee5776ff981797a0d0495fc664094a675f49851fb9f5fcc

SHA512
40e7981913d55fa655086d7db5db4e8207e59e4b55d387d63af1e54ea2e9719cd450535ce0ba9710387198b2ff331563da52d8eb0dcdc40378113f32a0acf2f7

Download Submit
C:\Windows\SysWOW64\ntldr.dll

Filesize
92KB

MD5
137c7db8f0d30a5e9e626fd3f6d3df4d

SHA1
df242e294da2e6e0ac2eb1b0d7d435206738073d

SHA256
12283b6ff3b38c56de17eece4e333e694c6217a0b17c7b0900c6ec4c2ed37f27

SHA512
90b87c74bee235369b578d30594e68c3eb7eaac4ed7e8a854ee1eac9f56e8d13a60965a37b60c09de470fb5aecab32441273ca5ef604703f319175136b2bd1da

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.2MB

MD5
29e3b524c0f7cf915ea91d528099fc21

SHA1
1a0c151f3805438ce06359ef7109881820899a78

SHA256
7ce35cad8cda5486014d9831980dcb2b2f7d01162971b22ebce1eae609df8f3c

SHA512
86ded9f9fc81156a1d29b6578459f386f32053046b9d5b8abce2dc5a5dee9d1feaec20d65b5280480fbaef5c4a9c0792216745c3b569ba10fd4af86aad33d8f7

Download Submit
\Windows\SysWOW64\km macro v0.2 - 1841.exe

Filesize
420KB

MD5
151986642e58a1ee3a4fc02c4fbf6f38

SHA1
1f793629b65fe73cef54838eaf999c33fb7ac205

SHA256
cc03e954d50f202ea66de8042d675b3736badc2681351042ceea69577008725a

SHA512
cdaf4e05dd73aa947583d5d142108bf9b45deab626caee6c7e369524373f7b8f31211af6bc1747654772b1decf8b196391eb2f1ef1dee3b77653e7dc8f46eb53

Download Submit
memory/2220-7-0x0000000004000000-0x00000000041BD000-memory.dmp

Filesize
1.7MB

Download
memory/2220-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2596-51-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2596-16-0x0000000002640000-0x00000000026F9000-memory.dmp

Filesize
740KB

Download
memory/2752-54-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2752-57-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-27-0x00000000001A0000-0x0000000000259000-memory.dmp

Filesize
740KB

Download
memory/2752-105-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-52-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-101-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-49-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2752-24-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-53-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-93-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-61-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-97-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-65-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-69-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-73-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-77-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-81-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-85-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2752-89-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2896-56-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2896-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-47-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download