Overview

overview

10

Static

static

3

da7e858452...18.exe

windows7-x64

10

da7e858452...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe

  • Size

    529KB

  • MD5

    da7e858452919019ee6c61c5c158f28b

  • SHA1

    875f2a668abc6c70ec1bba1584b9e4f6e75d8cfc

  • SHA256

    5db5cc276c0731467390e4369345ffe9c349c221df5fc1d58dbdd27e6963ac50

  • SHA512

    d2eb6775bbe9678e92bb87deeba38d1ac5a9a86ee5df8d5a8d50c69a1475bb2a792ff1b6d20142a7812f0f4f158cdc2cf8ab50263c738842f3e80ce5435a6c35

  • SSDEEP

    12288:QyeWT96x+MN2N4Bou8Bw1bFsIPNHqC5xlA0l:QyeAEwN4BuYFsI1KyV

Score
10/10
discoveryevasionexecutiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    evasiontrojan
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 11 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\ProgramData\ееЕаАххВОеЕао.exe
      "C:\ProgramData\ееЕаАххВОеЕао.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4768
        • C:\Windows\system32\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          PID:1552
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Windows\system32\sc.exe
          sc delete WinDefend
          4⤵
          • Launches sc.exe
          PID:3020
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3376
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3920
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableBehaviorMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2056
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4080
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableBlockAtFirstSeen $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3120
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIOAVProtection $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3600
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisablePrivacyMode $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1088
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4136
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -SevereThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4836
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -LowThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4312
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -ModerateThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4464
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableScriptScanning $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4780
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4116
    • C:\Users\Admin\AppData\Roaming\NetLibs14\ееЕаАххВОеЕао.exe
      C:\Users\Admin\AppData\Roaming\NetLibs14\ееЕаАххВОеЕао.exe
      1⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:2012
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
        2⤵
          PID:2144
          • C:\Windows\system32\sc.exe
            sc stop WinDefend
            3⤵
            • Launches sc.exe
            PID:1756
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
          2⤵
            PID:1868
            • C:\Windows\system32\sc.exe
              sc delete WinDefend
              3⤵
              • Launches sc.exe
              PID:1908
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
            2⤵
              PID:4492
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell Set-MpPreference -DisableRealtimeMonitoring $true
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2164
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
              2⤵
                PID:4540
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell Set-MpPreference -DisableBehaviorMonitoring $true
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:208
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
                2⤵
                  PID:1576
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell Set-MpPreference -DisableBlockAtFirstSeen $true
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:772
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
                  2⤵
                    PID:812
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell Set-MpPreference -DisableIOAVProtection $true
                      3⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3856
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
                    2⤵
                      PID:2820
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell Set-MpPreference -DisablePrivacyMode $true
                        3⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4332
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
                      2⤵
                        PID:2196
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3892
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
                        2⤵
                          PID:4952
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell Set-MpPreference -SevereThreatDefaultAction 6
                            3⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1508
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
                          2⤵
                            PID:4632
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell Set-MpPreference -LowThreatDefaultAction 6
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2864
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
                            2⤵
                              PID:4312
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell Set-MpPreference -ModerateThreatDefaultAction 6
                                3⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1688
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
                              2⤵
                                PID:3612
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Set-MpPreference -DisableScriptScanning $true
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Drops file in System32 directory
                                  • Modifies data under HKEY_USERS
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2760
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe
                                2⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1224

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\ееЕаАххВОеЕао.exe
                              Filesize

                              529KB

                              MD5

                              da7e858452919019ee6c61c5c158f28b

                              SHA1

                              875f2a668abc6c70ec1bba1584b9e4f6e75d8cfc

                              SHA256

                              5db5cc276c0731467390e4369345ffe9c349c221df5fc1d58dbdd27e6963ac50

                              SHA512

                              d2eb6775bbe9678e92bb87deeba38d1ac5a9a86ee5df8d5a8d50c69a1475bb2a792ff1b6d20142a7812f0f4f158cdc2cf8ab50263c738842f3e80ce5435a6c35

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              d85ba6ff808d9e5444a4b369f5bc2730

                              SHA1

                              31aa9d96590fff6981b315e0b391b575e4c0804a

                              SHA256

                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                              SHA512

                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              59d97011e091004eaffb9816aa0b9abd

                              SHA1

                              1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                              SHA256

                              18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                              SHA512

                              d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              948B

                              MD5

                              01d89dd05c27325bbfe34d7a2bc716ad

                              SHA1

                              fa0a5ce95e7e989da44face5a736172aba834ddc

                              SHA256

                              52bf1aacc2b2f03b2bbdca40b7eff5e041c8f2892575b3bf5cbaa000a02f71e9

                              SHA512

                              d7500eae5877d297fec543b607a1e6764ac07002178e92306de9b5a9cc76d9f42cdaa9a2b086ed1d3174c660afa120228affa80a4fb1ac4a430f7028449e0adb

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              62623d22bd9e037191765d5083ce16a3

                              SHA1

                              4a07da6872672f715a4780513d95ed8ddeefd259

                              SHA256

                              95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                              SHA512

                              9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              948B

                              MD5

                              e339c0ad3aca4c33b09c7c76ed797a15

                              SHA1

                              774102d11041d48de215821b67686774605ae7c8

                              SHA256

                              2a0aba6fbf082818826c0ccb8664909831bb8f9e79b92cc2a1b4c08c4932d04d

                              SHA512

                              13e14f7de043df47570d8472666037180137a6afcb7b89e3b3164d60be7f322abce69dd5fbb3e203e01d0e23ffe77274358915d646323bb18b4d64520e69ec46

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sny2tlqf.inz.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              4KB

                              MD5

                              bdb25c22d14ec917e30faf353826c5de

                              SHA1

                              6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                              SHA256

                              e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                              SHA512

                              b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                              Download Submit

                            • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              b42c70c1dbf0d1d477ec86902db9e986

                              SHA1

                              1d1c0a670748b3d10bee8272e5d67a4fabefd31f

                              SHA256

                              8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

                              SHA512

                              57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

                              Download Submit

                            • memory/1224-355-0x0000000010000000-0x000000001001E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/1224-328-0x0000000010000000-0x000000001001E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/2012-332-0x0000000001C90000-0x0000000001F59000-memory.dmp

                              Filesize

                              2.8MB

                              Download

                            • memory/2012-331-0x0000000001BD0000-0x0000000001C8E000-memory.dmp

                              Filesize

                              760KB

                              Download

                            • memory/2012-324-0x0000000010000000-0x0000000010007000-memory.dmp

                              Filesize

                              28KB

                              Download

                            • memory/2056-28-0x000001A0308C0000-0x000001A0308E2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/2164-313-0x000002567FA20000-0x000002567FA26000-memory.dmp

                              Filesize

                              24KB

                              Download

                            • memory/2164-314-0x000002567FA30000-0x000002567FA3A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/2164-207-0x000002567F7B0000-0x000002567F7CC000-memory.dmp

                              Filesize

                              112KB

                              Download

                            • memory/2164-214-0x000002567F890000-0x000002567F89A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/2164-246-0x000002567FA00000-0x000002567FA1C000-memory.dmp

                              Filesize

                              112KB

                              Download

                            • memory/2164-292-0x000002567F9E0000-0x000002567F9EA000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/2164-293-0x000002567FA40000-0x000002567FA5A000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/2164-312-0x000002567F9F0000-0x000002567F9F8000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/2164-208-0x000002567F7D0000-0x000002567F885000-memory.dmp

                              Filesize

                              724KB

                              Download

                            • memory/2500-129-0x0000000002160000-0x000000000218C000-memory.dmp

                              Filesize

                              176KB

                              Download

                            • memory/2500-128-0x00000000030F0000-0x00000000033B9000-memory.dmp

                              Filesize

                              2.8MB

                              Download

                            • memory/2500-127-0x0000000003030000-0x00000000030EE000-memory.dmp

                              Filesize

                              760KB

                              Download

                            • memory/2500-122-0x0000000010000000-0x0000000010007000-memory.dmp

                              Filesize

                              28KB

                              Download

                            • memory/2500-120-0x0000000010000000-0x0000000010007000-memory.dmp

                              Filesize

                              28KB

                              Download

                            • memory/2500-9-0x0000000002160000-0x000000000218C000-memory.dmp

                              Filesize

                              176KB

                              Download

                            • memory/4116-125-0x0000000010000000-0x000000001001E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/4116-124-0x0000000010000000-0x000000001001E000-memory.dmp

                              Filesize

                              120KB

                              Download