Overview

overview

10

Static

static

10

dccf16604b...18.exe

windows7-x64

10

dccf16604b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 18:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dccf16604bbf396f865b104009d58609_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    dccf16604bbf396f865b104009d58609

  • SHA1

    fcdb6fec618922d92320e84de1aeb098fa16522c

  • SHA256

    b1aee6db8a0dcf662c5cd712a4a322f2f37c0e2c8c44d5c0b9848d74e1626991

  • SHA512

    5a62fad02dc2cdb5d2a9ee00d81d2e9c3d0313dbef55dc6fd465ae4834c2d33dc8bdf50e4fe174d58407b807c602c25b47d8d550fc09c8e2f21462d637ae4bd3

  • SSDEEP

    24576:/nAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJup1BjyzNacUsjJ5d7yeifIhH4tTcNsU:fELbVMTrOq46NaUs+IN4tTcNsU

Score
10/10
darkcometyulgangdiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Yulgang

C2

subcamfrog.no-ip.org:88

Mutex

MUTEX-0HK10RV

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    AjT6Fkh3DHxL

  • install

    true

  • offline_keylogger

    true

  • password

    123456123

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Sets file to hidden 1 TTPs 16 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 14 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 16 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\dccf16604bbf396f865b104009d58609_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dccf16604bbf396f865b104009d58609_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\dccf16604bbf396f865b104009d58609_JaffaCakes118.exe" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\dccf16604bbf396f865b104009d58609_JaffaCakes118.exe" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2152
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1808
    • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2224
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1960
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2740
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2712
      • C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\msdcsc.exe
        "C:\Windows\system32\MSDCSC\AjT6Fkh3DHxL\msdcsc.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3028
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\msdcsc.exe" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2468
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\msdcsc.exe" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:768
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2108
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:3044
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2832
        • C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe
          "C:\Windows\system32\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          PID:544
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe" +s +h
            5⤵
            • System Location Discovery: System Language Discovery
            PID:540
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe" +s +h
              6⤵
              • Sets file to hidden
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:2628
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL" +s +h
            5⤵
            • System Location Discovery: System Language Discovery
            PID:624
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL" +s +h
              6⤵
              • Sets file to hidden
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:1848
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1040
          • C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe
            "C:\Windows\system32\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:1836
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe" +s +h
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2348
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe" +s +h
                7⤵
                • Sets file to hidden
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Views/modifies file attributes
                PID:2080
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL" +s +h
              6⤵
              • System Location Discovery: System Language Discovery
              PID:908
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL" +s +h
                7⤵
                • Sets file to hidden
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Views/modifies file attributes
                PID:1236
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
              • System Location Discovery: System Language Discovery
              PID:952
            • C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe
              "C:\Windows\system32\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              PID:1644
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe" +s +h
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1260
                • C:\Windows\SysWOW64\attrib.exe
                  attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL\msdcsc.exe" +s +h
                  8⤵
                  • Sets file to hidden
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Views/modifies file attributes
                  PID:2652
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL" +s +h
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2640
                • C:\Windows\SysWOW64\attrib.exe
                  attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\AjT6Fkh3DHxL" +s +h
                  8⤵
                  • Sets file to hidden
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Views/modifies file attributes
                  PID:1192
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1852
              • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
                "C:\Windows\system32\MSDCSC\msdcsc.exe"
                7⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                PID:2136
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1708
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
                    9⤵
                    • Sets file to hidden
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Views/modifies file attributes
                    PID:900
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:760
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
                    9⤵
                    • Sets file to hidden
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Views/modifies file attributes
                    PID:2120
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2692
                • C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\msdcsc.exe
                  "C:\Windows\system32\MSDCSC\AjT6Fkh3DHxL\msdcsc.exe"
                  8⤵
                  • Modifies WinLogon for persistence
                  • Modifies firewall policy service
                  • Modifies security service
                  • Windows security bypass
                  • Executes dropped EXE
                  • Windows security modification
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1616
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\msdcsc.exe" +s +h
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2704
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL\msdcsc.exe" +s +h
                      10⤵
                      • Sets file to hidden
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Views/modifies file attributes
                      PID:2476
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL" +s +h
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2896
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib "C:\Windows\SysWOW64\MSDCSC\AjT6Fkh3DHxL" +s +h
                      10⤵
                      • Sets file to hidden
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Views/modifies file attributes
                      PID:3036
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                    9⤵
                      PID:2632
                    • C:\Windows\explorer.exe
                      "C:\Windows\explorer.exe"
                      9⤵
                        PID:1740
                      • C:\Windows\SysWOW64\notepad.exe
                        notepad
                        9⤵
                        • System Location Discovery: System Language Discovery
                        PID:888
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-364096252457472825-10728897362499709262042449100-7294929111991491-933181436"
        1⤵
          PID:768
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-932305296-1761645894-938469955-18458823081438158255-425898944482769442418658710"
          1⤵
            PID:2152

          Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Create or Modify System Process

                2
                T1543

                Windows Service

                2
                T1543.003

                Privilege Escalation

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Create or Modify System Process

                2
                T1543

                Windows Service

                2
                T1543.003

                Defense Evasion

                Hide Artifacts

                2
                T1564

                Hidden Files and Directories

                2
                T1564.001

                Impair Defenses

                3
                T1562

                Disable or Modify System Firewall

                1
                T1562.004

                Disable or Modify Tools

                2
                T1562.001

                Modify Registry

                7
                T1112

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
                  Filesize

                  1.7MB

                  MD5

                  dccf16604bbf396f865b104009d58609

                  SHA1

                  fcdb6fec618922d92320e84de1aeb098fa16522c

                  SHA256

                  b1aee6db8a0dcf662c5cd712a4a322f2f37c0e2c8c44d5c0b9848d74e1626991

                  SHA512

                  5a62fad02dc2cdb5d2a9ee00d81d2e9c3d0313dbef55dc6fd465ae4834c2d33dc8bdf50e4fe174d58407b807c602c25b47d8d550fc09c8e2f21462d637ae4bd3

                  Download Submit

                • memory/544-1224-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/544-1225-0x00000000075F0000-0x00000000077AE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/544-947-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1304-275-0x000000007EF70000-0x000000007EF71000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-34-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-22-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-21-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-20-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-19-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-17-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-16-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-15-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-14-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-13-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-35-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-12-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-38-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-41-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-10-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-44-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-9-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-47-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-49-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-52-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-54-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-56-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-8-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-58-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-60-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-64-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-62-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-7-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-6-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-43-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-63-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-61-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-59-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-57-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-55-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-53-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-51-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-50-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-48-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-46-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-45-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-42-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-264-0x0000000077F90000-0x0000000077F97000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-25-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-276-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1304-0-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-23-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-274-0x000000007EF40000-0x000000007EF41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-271-0x000000007EF60000-0x000000007EF61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-24-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-270-0x0000000077F60000-0x0000000077F67000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-256-0x0000000077F30000-0x0000000077F37000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-314-0x0000000005D90000-0x0000000005F4E000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1304-26-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-27-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-28-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-269-0x000000007EF30000-0x000000007EF31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-18-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-29-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-11-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-30-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-263-0x0000000078010000-0x0000000078017000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-262-0x000000007EEB0000-0x000000007EEB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-261-0x0000000078000000-0x0000000078007000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-260-0x000000007EEA0000-0x000000007EEA1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-259-0x000000007EEC0000-0x000000007EEC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-258-0x000000007EF10000-0x000000007EF11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-257-0x0000000077FB0000-0x0000000077FB7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-315-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1304-1-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-2-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1304-255-0x0000000077FE0000-0x0000000077FE7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-254-0x000000007EF00000-0x000000007EF01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-253-0x0000000077FC0000-0x0000000077FC7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-252-0x0000000077FA0000-0x0000000077FA7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-251-0x0000000077F50000-0x0000000077F57000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-250-0x0000000077F40000-0x0000000077F47000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1304-249-0x000000007EF80000-0x000000007EF81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-170-0x000000007EEE0000-0x000000007EEE1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-169-0x000000007EF90000-0x000000007EF91000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-168-0x000000007EF20000-0x000000007EF21000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1304-40-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-31-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-39-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-37-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-36-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-32-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1304-33-0x0000000001DE0000-0x0000000001ED1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/1616-2429-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1644-1846-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1808-294-0x0000000000190000-0x0000000000191000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1836-1680-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/2136-1877-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/2136-2427-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/3028-928-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/3028-926-0x00000000073A0000-0x000000000755E000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/3048-330-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/3048-620-0x00000000075D0000-0x000000000778E000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/3048-621-0x00000000075D0000-0x000000000778E000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/3048-623-0x0000000000400000-0x00000000005BE000-memory.dmp

                  Filesize

                  1.7MB

                  Download