Overview

overview

10

Static

static

3

e95e5a67df...18.exe

windows7-x64

10

e95e5a67df...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2024 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe

  • Size

    824KB

  • MD5

    e95e5a67df941e7150f0c73a5c63f1b1

  • SHA1

    1cfedfbbff4202fee0a38ecb775cf189ae4f9739

  • SHA256

    008e85f1c73c905fba2a072db714e5e268548b8ec38646b2455cf0b8be1e2f88

  • SHA512

    afe1fa188a2250c74ac7cad3cc9b400fa0759b691ebe126d812e3769b92364982e29e57c1eb4d42357ff89e2344efb8e312749044e4c8dd031a57ec872a7cfca

  • SSDEEP

    24576:vaT1xyiQQNN3iR1n7HNhf1TlaBVUiYUT:ybAQH817HNhnaPUiYU

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 20 IoCs
  • Drops file in System32 directory 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • NTFS ADS 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe"
      2⤵
      • Checks BIOS information in registry
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\SysWOW64\wplayer.exe
        C:\Windows\system32\wplayer.exe 1292 "C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3384
        • C:\Windows\SysWOW64\wplayer.exe
          C:\Windows\system32\wplayer.exe 1292 "C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe"
          4⤵
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          PID:4584
          • C:\Windows\SysWOW64\wplayer.exe
            C:\Windows\system32\wplayer.exe 1448 "C:\Windows\SysWOW64\wplayer.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4764
            • C:\Windows\SysWOW64\wplayer.exe
              C:\Windows\system32\wplayer.exe 1448 "C:\Windows\SysWOW64\wplayer.exe"
              6⤵
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • NTFS ADS
              • Suspicious use of AdjustPrivilegeToken
              PID:4864
              • C:\Windows\SysWOW64\wplayer.exe
                C:\Windows\system32\wplayer.exe 1464 "C:\Windows\SysWOW64\wplayer.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2324
                • C:\Windows\SysWOW64\wplayer.exe
                  C:\Windows\system32\wplayer.exe 1464 "C:\Windows\SysWOW64\wplayer.exe"
                  8⤵
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • NTFS ADS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2604
                  • C:\Windows\SysWOW64\wplayer.exe
                    C:\Windows\system32\wplayer.exe 1460 "C:\Windows\SysWOW64\wplayer.exe"
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:4768
                    • C:\Windows\SysWOW64\wplayer.exe
                      C:\Windows\system32\wplayer.exe 1460 "C:\Windows\SysWOW64\wplayer.exe"
                      10⤵
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • NTFS ADS
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2872
                      • C:\Windows\SysWOW64\wplayer.exe
                        C:\Windows\system32\wplayer.exe 1492 "C:\Windows\SysWOW64\wplayer.exe"
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:5016
                        • C:\Windows\SysWOW64\wplayer.exe
                          C:\Windows\system32\wplayer.exe 1492 "C:\Windows\SysWOW64\wplayer.exe"
                          12⤵
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • NTFS ADS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:684
                          • C:\Windows\SysWOW64\wplayer.exe
                            C:\Windows\system32\wplayer.exe 1504 "C:\Windows\SysWOW64\wplayer.exe"
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2168
                            • C:\Windows\SysWOW64\wplayer.exe
                              C:\Windows\system32\wplayer.exe 1504 "C:\Windows\SysWOW64\wplayer.exe"
                              14⤵
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • NTFS ADS
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4932
                              • C:\Windows\SysWOW64\wplayer.exe
                                C:\Windows\system32\wplayer.exe 1496 "C:\Windows\SysWOW64\wplayer.exe"
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:2284
                                • C:\Windows\SysWOW64\wplayer.exe
                                  C:\Windows\system32\wplayer.exe 1496 "C:\Windows\SysWOW64\wplayer.exe"
                                  16⤵
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • NTFS ADS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2704
                                  • C:\Windows\SysWOW64\wplayer.exe
                                    C:\Windows\system32\wplayer.exe 1532 "C:\Windows\SysWOW64\wplayer.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:4144
                                    • C:\Windows\SysWOW64\wplayer.exe
                                      C:\Windows\system32\wplayer.exe 1532 "C:\Windows\SysWOW64\wplayer.exe"
                                      18⤵
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • NTFS ADS
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3472
                                      • C:\Windows\SysWOW64\wplayer.exe
                                        C:\Windows\system32\wplayer.exe 1540 "C:\Windows\SysWOW64\wplayer.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:3936
                                        • C:\Windows\SysWOW64\wplayer.exe
                                          C:\Windows\system32\wplayer.exe 1540 "C:\Windows\SysWOW64\wplayer.exe"
                                          20⤵
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • NTFS ADS
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3272
                                          • C:\Windows\SysWOW64\wplayer.exe
                                            C:\Windows\system32\wplayer.exe 1552 "C:\Windows\SysWOW64\wplayer.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:1840
                                            • C:\Windows\SysWOW64\wplayer.exe
                                              C:\Windows\system32\wplayer.exe 1552 "C:\Windows\SysWOW64\wplayer.exe"
                                              22⤵
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • NTFS ADS
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    37cc21c4fbffe1a0800140588359049d

    SHA1

    f91f0ab24a3d13a522a8f3263370330198fc3d04

    SHA256

    de456a519503107736b6fa9f89b23feb67ddd6d5709a4e24c0044265793ea244

    SHA512

    07cf64c084a7963a8274f3e5681f303039c708688219a4d8322ca54de6a295fc9f9963dd8f123a5a148ce0e62a4f125c03c03df53f1ba909ff39467b9a06bea3

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    a37ef3f692951c7ee350d043ebad14ab

    SHA1

    420549454818c0ed8a5d11bdb89861fc5acd76fe

    SHA256

    a4b23dffe5db65025ac3bcee6d08089204d18482d733fba86854a3065e55dda2

    SHA512

    84c5fa8fe84a41c684f58dc83b41a0deb08a576084acf6b375c92185a7ab9292ff2138989387c1e3a82b8bb8b84b9fc579010af8c4a14a07561f2a811969cd3e

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    d580e2449d24c2a72d24a459e16e4313

    SHA1

    d56ee30ea1c4a0ca1bc9fe73301fa87442eb09f7

    SHA256

    2e9c2c25d42970e26d41d6d97bbca1a84faf130d70c35a71558cf0f795866ce4

    SHA512

    d3776a3af38c64af5c7c952c7c7c3a6ef8a9fa17acdf0d122832c9f288dda654659cb8181d670993fbcdd0ff02f66a7cefad14f8acef9d30f0c398db0c7cf132

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    506e54d3064b52649f65a3ffea5b4bfb

    SHA1

    414fb65a200824d99ecc4b141aab372dac047d9d

    SHA256

    ec678cb3dac7c3c732011fccf3f12d7a302a5d55f5127519b1bffc2e11bf4819

    SHA512

    9ab33fa2b52c4a8b42c237235386c840fbd8054c1bfe639ebadc435594cb4036ae5488f5af2a57134006b7e94b89fb3fc7cf8f8f5060d90e393c131920291080

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    8428f991d7724328b03157e5b495c629

    SHA1

    a13db922451652d965990e17c3983a87b25c1c8f

    SHA256

    0c17cbe9a21b1aea986e0f1eb5453285b5b1b79d5b868bdfe7bc7bbb2a7b5d17

    SHA512

    f333bcc7136e9e8a2f3ef539d0317291bba6a43c608a5e091db698c19ebedde7233a40bd647086a2ceab344222176eb3945226263fd86bc22f025b2db00b4bff

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    075057bcea19a418d589480d3d541a79

    SHA1

    3c9e09cd13351550e5101a65e2373358fdd905ff

    SHA256

    3dce66791f75b8c6bc711aa7ab23768d106beb285b195066eb1ff745b2a1d08f

    SHA512

    db5cb0cbff9497e3a3523d745739c1c5ec96ae4115d500380dd1b252cd024c6eefe48c8d162a6455b8b6829baabdfcbe0b2838b1481af59d6222c63b7aa0258c

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    98bb0b0445d24a583d6fb05b38da5afc

    SHA1

    0fc4a62400e16f0d19566bbde89b54e01dcb768d

    SHA256

    505ce2e641b860f9f02104baf6a8ac0b76516a8ac1170a80a824d7d81e511c56

    SHA512

    bda5ef7a4efe116aef48e02d61856901d41546891b3065a2ab05da0de3ce054eae545eed7538920c1a3fdab7ab979aa47f7985b2d269e3c1c88c14856c0e0f24

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    783da3ac22f124e26071834fe4fafc16

    SHA1

    3290fedcdb58cecd2401957236230849587e13ee

    SHA256

    ea120791937b4e4cc2efa222a25eb36aece2685690c9c0edd3f2a710319d5fe7

    SHA512

    68b9d065b21ad657bdc55369a8332df58f11efb792d5c042110436494f5a153b3adf37a53e357a5aaf746a691050ef100aeb238f7acd9a61ab115dd14d1cf88f

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    e5641dfaf8e0d98b724c261dc9e838d0

    SHA1

    31042d055ad7d96f197f16ab75e63f8d2419a6aa

    SHA256

    80ba0a97c87b192c8908b8e1faf873c8a4583ceed5a96ca62b2f929af7d75565

    SHA512

    e6aafcf0c2accdfb4ac13691b8cd0406a795763c6258895bd280e837b6532e71f85943a701627a50588190a9e9b524e8a578a6bde0701684f3c2870f10b37a37

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    16d56748865a786ad86903d375926b11

    SHA1

    cede35fe0a1c3b50fc3fe5ce5a791b6dc8a2f3b8

    SHA256

    af4265f94d072d7c67ec3fc4818044f27c8c8e459e47effec79cb87abe69113b

    SHA512

    997ba232d08b31083367e5d19ba6879ff183056b7fab5bb3affefc7d5f32af1cc69a6f93058936a767b48d6eb29ec32d0ca98b1f176d17898d70fcd28496814a

    Download Submit

  • C:\ProgramData\TEMP:5D2892D9
    Filesize

    123B

    MD5

    a066bec59590c8a90ce2280d8831f5b1

    SHA1

    deb8d7c582541864f870a5805a8914bb59831285

    SHA256

    a8251151ddb1dbdcf01e2d82acc102478dad887181b275b80466e1b12248b7b7

    SHA512

    b2f2a2a9611ed0206759abb92236219fec1ce906d8ee224dddedaff58b6dc1ff403db5e2167387edbcdf232a6d35f17d4c063bd2babc8117a61111b9cd7e1feb

    Download Submit

  • C:\Windows\SysWOW64\wplayer.exe
    Filesize

    824KB

    MD5

    e95e5a67df941e7150f0c73a5c63f1b1

    SHA1

    1cfedfbbff4202fee0a38ecb775cf189ae4f9739

    SHA256

    008e85f1c73c905fba2a072db714e5e268548b8ec38646b2455cf0b8be1e2f88

    SHA512

    afe1fa188a2250c74ac7cad3cc9b400fa0759b691ebe126d812e3769b92364982e29e57c1eb4d42357ff89e2344efb8e312749044e4c8dd031a57ec872a7cfca

    Download Submit

  • memory/1840-307-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2168-191-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2168-216-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2284-220-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2284-245-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2324-127-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2324-105-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2604-119-0x0000000000870000-0x0000000000905000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2604-100-0x0000000000870000-0x0000000000905000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2604-96-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2604-91-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2604-93-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2604-103-0x0000000000870000-0x0000000000905000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2604-98-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2604-83-0x0000000000870000-0x0000000000905000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2604-99-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2604-94-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2872-111-0x0000000000910000-0x00000000009A5000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2872-124-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3384-24-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3384-69-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3384-47-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3620-34-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3620-0-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3936-300-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3936-278-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3984-4-0x0000000002180000-0x0000000002215000-memory.dmp

    Filesize

    596KB

    Download

  • memory/3984-14-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3984-9-0x0000000002180000-0x0000000002215000-memory.dmp

    Filesize

    596KB

    Download

  • memory/3984-11-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3984-10-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3984-13-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3984-28-0x0000000002180000-0x0000000002215000-memory.dmp

    Filesize

    596KB

    Download

  • memory/3984-12-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3984-16-0x0000000002180000-0x0000000002215000-memory.dmp

    Filesize

    596KB

    Download

  • memory/3984-15-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3984-2-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4144-274-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4144-249-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4584-41-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4584-45-0x0000000002140000-0x00000000021D5000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4584-27-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4584-29-0x0000000002140000-0x00000000021D5000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4584-40-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4584-42-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4584-39-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4584-38-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4584-37-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4584-43-0x0000000002140000-0x00000000021D5000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4584-68-0x0000000002140000-0x00000000021D5000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4764-76-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4764-101-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4768-134-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4768-148-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4864-70-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4864-63-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4864-54-0x00000000005A0000-0x0000000000635000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4864-72-0x00000000005A0000-0x0000000000635000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4864-71-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4864-61-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4864-64-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4864-62-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4864-74-0x00000000005A0000-0x0000000000635000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4864-90-0x00000000005A0000-0x0000000000635000-memory.dmp

    Filesize

    596KB

    Download

  • memory/5016-187-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5016-162-0x0000000000400000-0x000000000059E000-memory.dmp

    Filesize

    1.6MB

    Download