8647ce982200ed72ee79f1450ab1aef59d1f5da421e4e59c6b51d10fe6ee31e7

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
Size

727KB
MD5

2f46f36fbadfbd00d96fb2304c906aca
SHA1

572f424c378781890a8eb477eeeca733d857276a
SHA256

8647ce982200ed72ee79f1450ab1aef59d1f5da421e4e59c6b51d10fe6ee31e7
SHA512

f1c01bee71249a7de4d9ef876b363c00b974e9aef4042abe18029053fa83805e27e06bfb00a842e639d18598e65788e973ec6bdc86e0eafdbd771515f3e4c86f
SSDEEP

12288:f8CmYnndPONJTTayxTs3TWMk/kap2yNOYsM+k9SFUCTgNIAaKSTqvqDid1TdXMqp:f8PYnndPs/xTVsu2yZlcyCEzaKID61TJ

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2156	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\x\taskman.txt	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\win.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\close.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\close.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\_unknown.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\win.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\svchost.exe	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\servers.ini	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\_unknown.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\taskman.txt	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\kucha.txt	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\servers.ini	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\_tamp2.dll	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\_tamp.dll	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\_unknown.dll	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\view.txt	svchost.exe
File created	C:\WINDOWS\SysWOW64\x\kucha.txt	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\mirc.ini	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\view.txt	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\view.txt	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\kucha.txt	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\servers.ini	svchost.exe
File created	C:\WINDOWS\SysWOW64\x\_tamp.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\_tamp2.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\_tamp2.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x\mirc.ini	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\svchost.exe	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\mirc.ini	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\x	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\x\_tamp.dll	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2348-35-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\WINDOWS\\SysWOW64\\x\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\WINDOWS\\SysWOW64\\x\\svchost.exe\" -noconnect"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\WINDOWS\\SysWOW64\\x\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\WINDOWS\\SysWOW64\\x\\svchost.exe\" -noconnect"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
Token: SeBackupPrivilege	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2156	svchost.exe
2156	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2156	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2156	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2156	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2156	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2156	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2156	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2156	2348	2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f46f36fbadfbd00d96fb2304c906aca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\WINDOWS\SysWOW64\x\svchost.exe
  "C:\WINDOWS\system32\x\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\x\_tamp.dll

Filesize
25B

MD5
b4f3062120416ef17a153a0495f67ad8

SHA1
85fb9db37072945d03e044a0c270b31ac28e6a95

SHA256
75d388ffa26e32023ebad806945b3307ce91abc5594958c74ab17f47f48601f6

SHA512
35c48a3695967b4925a79cb1869f59782b0429e7700cc13767b525f9c83507c499ae49a6c10a2abe90e13e7ef975bfc02c30f2d4ae1a3af2ad61bed42bb96ae4

Download Submit
C:\WINDOWS\SysWOW64\x\_tamp2.dll

Filesize
238B

MD5
a7b971b0748b73735d3bd694dc9b092c

SHA1
b6cc92157262b350de2fba8e82f0db9d5c3ff471

SHA256
21210cb899ea9fc46a761ce76552e22d95848014614f0f4ec0b313be2e5aa53c

SHA512
5026bf87bd7feb179584f2c1dd876e35c3fd7617d789cd3aba5b3bfb813c4dde88435e4ded307978dda3781402cb80f9770214a4c16c95a993182e4ce85d147a

Download Submit
C:\WINDOWS\SysWOW64\x\_unknown.dll

Filesize
985B

MD5
4f8a3178ceea12ec0532953d6b7324d8

SHA1
4b4555b876702be947f98207f51cd01768ab2e16

SHA256
2d7fae046622b08d2da24f86135d4133ab5c8e667ecad0e29ca08558bb8ec44f

SHA512
55fc460448084d6fbe4cf9c1b45624266b994fd0e6650e1e5c2027db94f0a97bafed2bd250962567616ab9578e256a93d98797832530dab643ed8573c4ee625a

Download Submit
C:\WINDOWS\SysWOW64\x\close.dll

Filesize
62KB

MD5
eca90c31ce89cc5540741b7cd7db3265

SHA1
a29d501c504dc519e1c233fbf38c6a9fe3dd49eb

SHA256
00ae3ccc9dbc4f297f5669e81fb41acf02e4000dc5d74d84d6f9721899062bd4

SHA512
55d8fae32a998029f74574dfcb5f57ed3f9fcbf8fd61d150137a189ce8c125b898210b8d9ef501706d875cd7a0ecc1308ba8d218e8e06084f575e5019edf3dae

Download Submit
C:\WINDOWS\SysWOW64\x\kucha.txt

Filesize
337B

MD5
01d1a001ea637762d5ff44bb5e045657

SHA1
113115276602bb8cc34fa46ac1a00b4efa37370f

SHA256
e24d67cfd441f57fbc8a5b2ef96b39bfc1bc78643068de604a62c3215d053ab9

SHA512
c2db771e9ce24b620699355e9d6bc2c41232eb78a72e66c45e6a4eb6023148f97926291080fac145912a98da68675805b36ab03d3213a0c769707b6ce1ff3943

Download Submit
C:\WINDOWS\SysWOW64\x\mirc.ini

Filesize
2KB

MD5
9990dce375b945b713079ab39f5df791

SHA1
57088a84c81bb2fcdab9fe840840c83676502175

SHA256
7910d254c8efa17effba032c23a8073f057e0877bd77630c95d9cb2b15d04992

SHA512
db2f6a6e4311f29d465c39e45a509d899757b1b781230a5ea50223daf063b25ed8de3bd9215dd7b606fd52ae5675282deee0cd866d0465899c8bbe626d735995

Download Submit
C:\WINDOWS\SysWOW64\x\servers.ini

Filesize
187B

MD5
8dcf46508038e41a8a3f39720b84e3d9

SHA1
5b07c427c842fcc549ced05d843defff1a1e3e8d

SHA256
659bde5e54db72cbd3c842eb3d69960de0c00fe590e04e76331953c987194980

SHA512
c29e2b6977cd129e989db8e7c320d3a7cac04df6ef2c6229a34a5874c9eedb4986ec73fc697f6e39369161cb358efa236c632af8232f9c881ffce38a8390c29e

Download Submit
C:\WINDOWS\SysWOW64\x\taskman.txt

Filesize
62KB

MD5
d5d2ea8e0d6dff65b853218fb735b38a

SHA1
3a2c48db384dbdf22131d9a4333bd8080a07a65e

SHA256
78e74107a1839aff8c493d17b2ab2854fce71f84092d15146d8c66e734323b0e

SHA512
bc085c7125cabf72dc14ab5f03801adfb28bdf59673e842530a5b0a2f7dd63c1375d489d4ddd30880dea4e06915c70cc44f503c87bd88630445b31bcafb7ac1b

Download Submit
C:\WINDOWS\SysWOW64\x\view.txt

Filesize
1KB

MD5
6596d930b01c2ab481cc111d94f57055

SHA1
87b3338eebd7ee041ded0516e59e3e7f701a4b5e

SHA256
e236676d0f246ae3cdad6b7161e7eff8f37c8ba84684d073f89d00d1eeac11f5

SHA512
aa6526a409c0d7ed307d8ff957ad850eec4b4f32cc3e3b5f16e83492a06c164d3d566f2a999899646b4e971a4ed7db85d92fb14638dc3844826dd5eb766053ce

Download Submit
C:\WINDOWS\SysWOW64\x\win.dll

Filesize
14KB

MD5
84e765c435ed85915db4e54540d4f636

SHA1
f1e0f84e2f07381e7847bacf8291c06c380899f0

SHA256
6015066c4a005d129c6ccda4601dfdcfead2037083762a61488266f20820ada7

SHA512
de5313891ca186502e66cb69146c4c15d73d463d7200ef3690bb4961399eec005aaa696166c4becd65f2e9ee778c3dc0cf8ed93f9a9b29ddd2dd92a191bcf332

Download Submit
C:\Windows\SysWOW64\x\mirc.ini

Filesize
2KB

MD5
39a74bc6f34c6e16de383b4b2284cb5b

SHA1
a51127e379915d0b547668d9654c49c213a7c7c4

SHA256
7f84b064ff2b01f59c9f5cfd4fdddcc2950f37ce6196047cd9f539ec3b6ea855

SHA512
222d671258f3b5aa226da0eff52c264464c93c2a6eee93737014a4f39a8cf2fee1484dda5df99bfe26df75b845b7d1c952758af12c7b0b80a904cfa044dc1914

Download Submit
C:\Windows\SysWOW64\x\mirc.ini

Filesize
2KB

MD5
84c9e06db2bec0cbc42f3a54fa2b0d7e

SHA1
f494de8a35fbf4cd6a051babc877a2e3466f8e7b

SHA256
6b8ec488c7a77bac9879c26c6d0da6e99f082e9ceb5e359c37eec23db66f9ba9

SHA512
69cc4231a2860104994350d9ef809568e1942a62d0614aa2e1c22e083983be6143c500302fc0e35e039cac2238b598fac6f1e16301451f7c1a803d9a6bf47da7

Download Submit
C:\Windows\SysWOW64\x\mirc.ini

Filesize
2KB

MD5
b1581ce192dbc33f1f3b0d5abeb32a3d

SHA1
c96ae7d413ed27c607c2b9b7d670dad0bf26b8c6

SHA256
25d21b0f658c2c379bc3b767f6af97830238145899ce8cab16cb017b8fcf10a0

SHA512
722acd71216170c506caf5e27da247596b1fff9bfad899752df0b547fa6247ed625ea06f5aafb1afadc01f9ba85dc642792ea4474016b2c28af64ff429029a55

Download Submit
C:\Windows\SysWOW64\x\mirc.ini

Filesize
2KB

MD5
3b8a2c662e915378f168fcb13a694dfc

SHA1
a3ce5b799bfc494038037561422b28e9dada4b3b

SHA256
ea3f95c052761c63aa3834968269cc568b9aaeacefb1d4623a9a254d84410b4d

SHA512
6d8b76909302508506f27422b55ed2438fff372ef05aace556bc929ae3517a51e53aac52be1ade28edf2ddd82086ad2ba7976536de10463f0895cffc9231d127

Download Submit
C:\Windows\SysWOW64\x\mirc.ini

Filesize
2KB

MD5
fd425838e4b3d96a1941f4f5d21e604d

SHA1
bbe5d6c3ce07ef8a180b56dd6ced6aafeab76d2e

SHA256
f20403dcd5b6547b6c8295f6693a6df13ddf55569a6490912fc2a07eef17edde

SHA512
7bc78f142574e1d1d8c66b8d5adaa90e065ee0441c1272439c3b087ba820d3bd9bc33908d6d75f45d1f09eccba9f64c0c71205d18ffb1443b698655002ed59fc

Download Submit
C:\Windows\SysWOW64\x\mirc.ini

Filesize
2KB

MD5
6217ab1966b0f58df8a1f19f222fb604

SHA1
b647ac2b3b1cc4a9d78a02a4c296b806a7129468

SHA256
edf2b43d487caa0df93d539686cc1357969eed1a80f0a8d11740898b89c19cd5

SHA512
7a6b32c09dbafe64d1f37dc0f22149df2153bcdd2244de4406fa00596edffca5db326dff0da2627a024d2550b97f08f2edd4b3a42a3f204d661176ab4f1923dd

Download Submit
\Windows\SysWOW64\x\svchost.exe

Filesize
1.7MB

MD5
1a9c7f5b57bbffa420675379de161448

SHA1
a65bb4aa36447a5c66f38259d3ccd28cb24f75e5

SHA256
c7431c0c80424c909c35d4d64f37db1c4eaa0a64f8258c14a2018546db668a89

SHA512
ca35a0af0c7fcc9fa8d28b0e8b732a2262ee762f462aeb31975fab7cad59525010cc088f4557a94ed206047f657ea832a10aba11cffcba6fc8f43003ae3e3c50

Download Submit
memory/2156-225-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-287-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-308-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-226-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-307-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-236-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-241-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-242-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-204-0x0000000000810000-0x0000000000825000-memory.dmp

Filesize
84KB

Download
memory/2156-302-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-276-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-281-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-282-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-293-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-292-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2348-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2348-3-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/2348-35-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2348-2-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/2348-1-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download