Overview

overview

10

Static

static

5

fa218cab68...18.exe

windows7-x64

10

fa218cab68...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa218cab688dd5f74244773a38ea6310_JaffaCakes118.exe

  • Size

    5.0MB

  • MD5

    fa218cab688dd5f74244773a38ea6310

  • SHA1

    d5243f15bb6cd9a7d3444da5aeaf5c307a77c785

  • SHA256

    d8a1cfc8d4667abafd7af53ea54e53310c7067e9f6ed9bd7234a17cc524a1e7a

  • SHA512

    bd504e1337805bd80321d4e8ad7429dcbf2f759795c25418f51034dca0489dbf4aef5ec9dc32b722f13f2bd535c678fb688a36906c786c0836c428da4760ce2a

  • SSDEEP

    98304:vTqgox/pe8fs+CMm8KGm8cIQHb2uM3OtIdjEnRgoAvuGYtJK:bqggxCMmRXIQHDIdjEnRgTv/GJK

Score
10/10
dcratqulabdiscoveryevasioninfostealerransomwareratspywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 27.09.2024, 09:16:03 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: MXQFNXLT - Processor: Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz - VideoCard: Standard VGA Graphics Adapter - Memory: 2.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 256 - csrss.exe / PID: 332 - wininit.exe / PID: 384 - csrss.exe / PID: 396 - winlogon.exe / PID: 432 - services.exe / PID: 476 - lsass.exe / PID: 492 - lsm.exe / PID: 500 - svchost.exe / PID: 600 - svchost.exe / PID: 676 - svchost.exe / PID: 740 - svchost.exe / PID: 812 - svchost.exe / PID: 852 - audiodg.exe / PID: 924 - svchost.exe / PID: 968 - svchost.exe / PID: 272 - spoolsv.exe / PID: 352 - svchost.exe / PID: 1076 - taskhost.exe / PID: 1112 - dwm.exe / PID: 1164 - explorer.exe / PID: 1212 - OSPPSVC.EXE / PID: 568 - WmiPrvSE.exe / PID: 1204 - dllhost.exe / PID: 1612 - svchost.exe / PID: 2444 - sppsvc.exe / PID: 2216 - WMIADAP.exe / PID: 2996 - wscript.exe / PID: 2416 - CHxReadingStringIME.exe / PID: 1496
URLs

http://teleg.run/QulabZ

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

    stealerqulab
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa218cab688dd5f74244773a38ea6310_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa218cab688dd5f74244773a38ea6310_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\System\System.vbe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\System\KrXzzhIXVKdi17YT7Z2CN0JlLQNM6x.bat" "
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Users\Admin\AppData\Roaming\System\systemscr.exe
          C:\Users\Admin\AppData\Roaming/System/systemscr.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2276
      • C:\Users\Admin\AppData\Roaming\System\WatchBull.exe
        "C:\Users\Admin\AppData\Roaming\System\WatchBull.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 596
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2624
      • C:\Users\Admin\AppData\Roaming\System\RegeditFrameHost.exe
        "C:\Users\Admin\AppData\Roaming\System\RegeditFrameHost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
      • C:\Users\Admin\AppData\Roaming\System\e6ee5674bb9446c78bbc5729af6e2c28.exe
        "C:\Users\Admin\AppData\Roaming\System\e6ee5674bb9446c78bbc5729af6e2c28.exe"
        3⤵
        • Executes dropped EXE
        PID:1532
    • C:\Users\Admin\AppData\Roaming\System\Build.exe
      "C:\Users\Admin\AppData\Roaming\System\Build.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.module.exe
          C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\ENU_687FE974C8E618DE9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\1\*"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2112
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2260
    • C:\Users\Admin\AppData\Roaming\System\Windows defender.exe
      "C:\Users\Admin\AppData\Roaming\System\Windows defender.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2656
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {FBE86CBB-44E8-4AE5-B997-1EFA75CF2790} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2520
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\System\Build.exe
    Filesize

    1.8MB

    MD5

    e214a631536d3b7681316734308b8f4c

    SHA1

    a7b69b5d14fb7cb327cbecd90dfa21df59910e54

    SHA256

    4833cb9284e322e49aac5fcc90bd786cc1661e1179c936b9129c4848cccebfbd

    SHA512

    3e87bd06dc71e412493f782c1d4f08f2051a6abdf8a8c2045d8307d88e664d63b353d4d5de5bd3264b824dca74f50c39490a9678a9069f3bdf1ec59c5cb173fe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\KrXzzhIXVKdi17YT7Z2CN0JlLQNM6x.bat
    Filesize

    733B

    MD5

    c222c105a5357b75cbc8e69409800bab

    SHA1

    3b8db954893030fd4216b7dd19489fd63d7bc42e

    SHA256

    6910147b79d4cf9d6a55075a6778fe19de3ebb72860cfd36802a7ba7800dd6c8

    SHA512

    8a8cadb04dbb6a3f2ac3329564d037f8016a4ceeb7efaa9e02196c213fdae4de5cb3ac7d6a0ca16b695c38bd831450b6dcee5c2e2241669a9dbdc2b63b1608aa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\RegeditFrameHost.exe
    Filesize

    3.8MB

    MD5

    94d83c5e933bdcdec6eb211ba6318634

    SHA1

    529117a416b6bfff33359676e3feb2c465174350

    SHA256

    31a7d581720e2dc1a18a8abc8dbd4ad5cc06c6480719327aeb0e37f9f16fda0b

    SHA512

    061d8c1edca43cdc4d5e999c69cf59b5eccfdece868c7b93af453130bc57b13fd0a966622d88cf7a8c0503c76d99f667428376c3e7f5fc4afb341e80b035caba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\System.lnk
    Filesize

    1KB

    MD5

    0d9db86c5a050f5f322500b4abbb0707

    SHA1

    8f20671bafc570a9ea92e3b7f9c0adcfee9c3cb5

    SHA256

    f99e4ea280453200a8a59dbd8de38a4a4a5a13fb971d1767d0f0a386cb6d35ac

    SHA512

    7c3bbcb80061f75b64aa1d5f90eac6384350fb279741ab2801dbead14d983189e95e9ee2dbd7dd39e1341eb5ccaef124d72388073e555964c7f7401557153a4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\System.vbe
    Filesize

    632B

    MD5

    aae9c70ec1d7723555344949c86f3aab

    SHA1

    cbd5e469ba6114b20b223d62c019f15e166bc85c

    SHA256

    519858705803ff2ecff263b371d6f7cc21a5f541948600dc8335b7837a4fb2e0

    SHA512

    abddf1a9cb1a5e3c524d1a0182fffb7f1a4d2902314b357703b59d28474a429208837f8bd8bb4fefb6f7b3e54625ad55d5ba9c30dc55f0650c876d89318d3e28

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\WatchBull.exe
    Filesize

    10KB

    MD5

    2c3f35edde01ede4867bcfb16d47779b

    SHA1

    30591c98341c2874a23cd1f3d705e0c2ad2022c4

    SHA256

    c2cf8cba38db6296f975f21dabd51bda88263390d9545eb4dd45f839d5623397

    SHA512

    ace8675eeaded14256309358b04a43cfd98cb57be163035855e4fdbff6ccb444e7dc9c45af2ac57e4ce2d17e1697a4251fc4d545c2f6920b5b0280354d9be365

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\e6ee5674bb9446c78bbc5729af6e2c28.exe
    Filesize

    8KB

    MD5

    c4a3c2cad895e1922b778b91c519f7f0

    SHA1

    9c8267bd68db7ecd98af6420195e2ddbc5faf99b

    SHA256

    50d672e104dfc82540dd8246f6a177e869a8154a1f8750bde373d3c0466cae1e

    SHA512

    8032a1e7fccaaf353308e8d5da1477d94dd89baebdbf736e84f062679dfa1859f51f1b11ef570d96602c78820484921aa68c77874175c2bb8f439135a46ce99c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\rubycon
    Filesize

    172B

    MD5

    2bd295901cf390576ae8455c1a93aacb

    SHA1

    a0d0dd36110d36972159375193f4c20bf1d79d32

    SHA256

    6a46947ed61c5b65ad3c2e6f1cb190bf9e652cf22be6664518d173191c9d8000

    SHA512

    619e6bc8c002193ce43446d900220a2d2c76e94c00915d4badb5b99cc3bdd0b9d68497e93f107070881b1dbae208e8f2b026d38819f60290fe82f0886879ac72

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\systemscr.exe
    Filesize

    2.4MB

    MD5

    912a43a3b83410b5d408a147bb80c269

    SHA1

    9b9750c69517e9e66f4a841b867357ce19b58205

    SHA256

    a50420b2333491def7acba3bfa09017d38f54a03ad996dcc2f74f8c60fa1c919

    SHA512

    5b4fec09d0151d2346111e2f9255a3271298b7ad8a35c2e41286bbef1c8f0eed5f570689f1547e7019c292423a4cba46818966cf466082d2b8cc8631cd91c604

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System\vmcheck32.dll
    Filesize

    384B

    MD5

    82d1aaaf7e910979cdaaa12b569bb64d

    SHA1

    b3c1de1b09bacec11cf7a0aa09005c5fbd8825f7

    SHA256

    ea8ba2f78503c4ef5e07837ba780a18bfcc227500f01df0fd16ff814b61e5c57

    SHA512

    52bb6ca9b443323e88a73497d827cbe724bc0fc2aa3a231d517e60424c600b33b0fe8628d4609e1668af67ea68ebc026dbefc33945b81cddb3c3c2760c0c5c0a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\1\Information.txt
    Filesize

    3KB

    MD5

    808805b3589255e6964469dad666b7f5

    SHA1

    5e45005a7ba221654b0a084d3b891ba03f82e06c

    SHA256

    936f9c7af9586597caaecbd85298acfd6b9ce68b412ca09bf2c5bbf7b79aafe1

    SHA512

    b2ac6e9c5c60f2a58f9f0086910a54469d13c37a6d89bde0d06feb61d5e2b41cf802c2c96e423e41ce75c7f20e05570938fe2ce75f5503605ea1716c1ced08e9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\1\Screen.jpg
    Filesize

    50KB

    MD5

    06794ec512d6db5f66bd1b97ad6c123a

    SHA1

    7e4c632f4cb1579e5b037b58a76aa3cafc86a4ee

    SHA256

    760f9193fbb37f0e7083ae3ec9d20a5373ecada41307f3b64ae322366064b67a

    SHA512

    5de943c96863640e66cb60f218b0887ba55ea770073b910fbfa660f5d66fb7e15a49f45b27932a186733840b27242d46cbcfe6f862ede7d61d2793a59f27f86e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.module.exe
    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.module.exe.3
    Filesize

    197KB

    MD5

    2ae3489412947341d1eb5ec40f29dd4d

    SHA1

    b8d328fcfd707bfc19b7d26893eeefaa8e784033

    SHA256

    3af53ad20e6abddf6b1aa85ce5cfbf8b3c376c8b6db15d8d31d075726388d1c0

    SHA512

    dbe8edef2ef89e3738c87d96f36713ecb83d1de833f389bb60a72f3fe514115e11f3c67a9f588f6250cd56ee10652ec7152bdbe6ca8d41b55db5e6c86b4fc634

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.sqlite3.module.dll.3
    Filesize

    360KB

    MD5

    bddc6cb9f60a8f68a108e6c02272e83c

    SHA1

    e829eb69d2366bd4e23d45f01fb324a292993302

    SHA256

    f96a8447ffe71cbd9ae13dca0c562db0b9e056bf2885a5763e0245e387015c8b

    SHA512

    0ee9469f9ceacf4bdc63eac9c2d48115f1b4f838302386bc3741849b3fe17c33345ef1302328a02ff243af9e6a2fcd2ab8c01d83de74ce5d38793eab171a0a82

    Download Submit

  • \Users\Admin\AppData\Roaming\System\Windows defender.exe
    Filesize

    10KB

    MD5

    c90b7f9c9526b4b75b72964e9dafe686

    SHA1

    5ea103a3ecf44c57c22cb6b1ac31db1f15418754

    SHA256

    8c58edd9b95eb12dd82c8eb54dd879f9c712239c2795daddf747b3ac59869953

    SHA512

    2f6d3f9b83ae0a6bc346779e5e52ba78ce35615fee7728db42c968e6ea8d631cbd534a49e48f803991862155a95af00fcb27f03d7701e03cac7b85ae13252061

    Download Submit

  • \Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.sqlite3.module.dll
    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

    Download Submit

  • memory/916-137-0x0000000000840000-0x0000000000848000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1496-88-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/1496-123-0x0000000003A70000-0x0000000003AED000-memory.dmp

    Filesize

    500KB

    Download

  • memory/1496-117-0x0000000003A70000-0x0000000003AED000-memory.dmp

    Filesize

    500KB

    Download

  • memory/1496-252-0x0000000003A70000-0x0000000003AED000-memory.dmp

    Filesize

    500KB

    Download

  • memory/1496-150-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/1496-149-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/1496-251-0x0000000003A70000-0x0000000003AED000-memory.dmp

    Filesize

    500KB

    Download

  • memory/1496-89-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/1556-74-0x00000000010D0000-0x00000000012A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2112-127-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2252-201-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-171-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-205-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-203-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-209-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-199-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-197-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-195-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-193-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-191-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-189-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-187-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-185-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-183-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-181-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-179-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-177-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-175-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-173-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-207-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-169-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-167-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-165-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-163-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-161-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-159-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-157-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-155-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-153-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-152-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-211-0x00000000006B0000-0x00000000006CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-151-0x00000000006B0000-0x00000000006D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2252-148-0x00000000002B0000-0x0000000000682000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2276-147-0x0000000001130000-0x0000000001390000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2276-253-0x0000000006450000-0x000000000657E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2656-71-0x0000000001080000-0x0000000001088000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2688-0-0x00000000001B0000-0x000000000022A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2688-68-0x00000000001B0000-0x000000000022A000-memory.dmp

    Filesize

    488KB

    Download