locky | 69b7591ee14de24efc887e7239d89f6cf41126b7ce5e119cb3eeae2ca0c12ef0

Analysis

max time kernel
139s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe
Size

2.6MB
MD5

af4806b9d8627c865bd6f4d611447751
SHA1

b0fd17423398c13c6f271dc2c1dced3355e8db24
SHA256

69b7591ee14de24efc887e7239d89f6cf41126b7ce5e119cb3eeae2ca0c12ef0
SHA512

bfd0eb6cacac201aa4b3d0c6146419df1f8282a242bd720800cb60d7426af3922749df885a2995b5ea079b74d1db434a03492fe7be5baa1e6ada07f7ec87460d
SSDEEP

49152:4VKjxFspS487/TSwUOdAf6kuSbPMMfT3Mk1h8B8tx817R+w6RlEo2QfhxLtAxC3a:48jUpS57/TSwUOdAf6kuSbPMMfT3Mk1E

Score

10^/10

locky defense_evasion discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky family
locky

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_HELP_instructions.bmp"	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\WallpaperStyle = "0"	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\TileWallpaper = "0"	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0CEC0291-AE16-11EF-95B1-7E31667997D6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2448	iexplore.exe
2500	DllHost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe
2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe
2448	iexplore.exe
2448	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2500	DllHost.exe
2500	DllHost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 2224 wrote to memory of 308	2224	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	31
PID 308 wrote to memory of 2448	308	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	34
PID 308 wrote to memory of 2448	308	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	34
PID 308 wrote to memory of 2448	308	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	34
PID 308 wrote to memory of 2448	308	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	34
PID 2448 wrote to memory of 2728	2448	iexplore.exe	36
PID 2448 wrote to memory of 2728	2448	iexplore.exe	36
PID 2448 wrote to memory of 2728	2448	iexplore.exe	36
PID 2448 wrote to memory of 2728	2448	iexplore.exe	36
PID 308 wrote to memory of 2268	308	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	37
PID 308 wrote to memory of 2268	308	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	37
PID 308 wrote to memory of 2268	308	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	37
PID 308 wrote to memory of 2268	308	af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe
  2⤵
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\af4806b9d8627c865bd6f4d611447751_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2268

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\_4_HELP_instructions.html

Filesize
10KB

MD5
7dd1bd26c04d5af6932a7e1d9db546e4

SHA1
d8b7328859d879cb9a5bbd25ffda0590b5d9c0d6

SHA256
624ebe4b4f66560e4c8ac1819a5390c8cb6472008554672197409ab133340490

SHA512
adb2ed6e9cca816d9be4fec992d53ea8f2235f41d4f7b7991ddbbc722a14e2335c7e86b265cf27eeed4b87b373211f290a549c03b8e97905989e3494a4f5d487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fae1bfa7068bf7e2cdb2513a6aed011c

SHA1
f38de570088a62dbd4ebd0f900679d8d81ebaffd

SHA256
27517b4dd7186508678bdd5c29dd526c39d1ff51f70d8032ec4265c429dfee99

SHA512
02d2bedf09aea71790e3645453a88f085f853959e28356eacd9dca9434207490ea9cfdbcdfc7b11d26dbe3081f6f62f248b468b461d798aa71bad09387ab05f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfbeeb511f464a39afe2a980d4bcd28c

SHA1
8ed6b1c9eef6a8d0d97b69a11fd492c73220397c

SHA256
8ff18138f8da800ef8c43fd160e8087e9a170f243aac0e699b68d07271498c41

SHA512
1c3bb27397a5356f3afac8e40f0b884b9825e29d7f5f209bdd13ea5fd00e0166bfef2f338df56847c308861ad4fd4b04f1e459e79a05c812ad350c7d8655069a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46412ee6e2b7f11c552e041e2d10f6be

SHA1
bce40bdffe65ec6b3ea336ad8ef2a9f5b85379f4

SHA256
1ea7895ea9aca563a41a11d7242214c5c3b81d0eb71317fa7ebed8908c7164d1

SHA512
fbfac49d13f54db0becb2bd88e8576f30fe57b35467490f5d787cf9eeb63b4d5b52c9e0b7a712fdd46744eef6eec501c074d7a916d5be9913983462be468db84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a04e4ff287f24e7fbfcbe7c05f17da7f

SHA1
2956964e04362d48b10c7419e340d11f3dc2a901

SHA256
fca29fa4b1d668a67b6b421db344b32cc2a0a63c86096559f709647956ae5c39

SHA512
beb4f5f344f08eaba6af733ca5c018764becd8855305193ec2384616e292cecd418966befff6ffb10f580671b7714dd70170e51bb340b5566a8816bc06cd5c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55d6f032e523452c6693f7ce86e7f858

SHA1
09d0dd3cd062e7dc489e0df80a8955ee3f4c2d33

SHA256
da5e34e28e9b073af95a63de6c5bfdfb4fc56692c47391b51df5a9d144ea55de

SHA512
97c736c3ecacac618dd4844de28e01573403b5e3e1e458e7688f3896cc056a6ac16a412f76e866d19ac0acd3de96bbfd80f420f8b8d987c09463a95699dd642e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c988b2be375c654ce13237e8c27f640d

SHA1
00e76c8ba1782f346c8299c16496207d310cff55

SHA256
8e25512c350e42a1254278849c7b403c7c2e376b17b1ecf29c0b7697cb3b9ed6

SHA512
4b1de3ed1528e35344f60444d6f3426ea3abbb894e6db8532a1f4730b9e5b3117908e11015ed42baeb613c93b1ef33b8d12b13f379d222e4fba8042dfb5ecf36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d30d1767b73c6df4ef10318323365b16

SHA1
cb2ad21b71f537ac3e876d7749645d9540074bdf

SHA256
012fced33b838f86420e71e17e78bf4bebc94b7da3d53fe8b60c25731fb0914c

SHA512
49b7b192a0abef3b482585fc92dc73281663826b06d150d5c0924878881bcd300e41c10f4adb9f955a4d3a68697ab3ecf0514e9a5750e60138c434a284757e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
084dae1a56f90b3acee65c330cb19ad3

SHA1
58bd44e592bbb7c2546a8bc0b2642442b13e3053

SHA256
895e319b1c0ddd17f01d56ce8a1455308c0343233b03e6bf2165564eb7f14452

SHA512
115b4505f2da7017ec8dd3c8e48b7e60680b37de57865a70a6e4514eab64e04f6f35625f9c653953a1350d854988f42bb98daeb7c31f4627802eb8c94177c709

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3922704e06c8f85a9215293db2b4725a

SHA1
aa74544600ca7dbbd56f4c152e2b3be0edb13989

SHA256
ca838eebf79a6ec0f361fa4ee85dc06760d2f324df84241d22ab09d7ab4c6f64

SHA512
d4943bff689d00cc17f0c94f03835b7432524710a6bd669469563855fdaa3490cf122cdf4c8dbbb19471acb634551a6d9ca5f52005bb94cae57af805a2c0c1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFF96.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\_HELP_instructions.bmp

Filesize
3.8MB

MD5
4fb40bbeffad685df2949ae1ad6a5779

SHA1
65a721bd5c13420c7615066734c82b4e0fd310ea

SHA256
d0e58b3fa74605e0a10da1632b47e39426257591423afc68ceabb180bd7b4e33

SHA512
d5d4429cee4517407a21b0331a721c887471e0acd503bc938a766e4f88f05816af4c34cad68a778b3cc5b9588a2a4afcfd8674c31dea40fe6c968b8c22ce742d

Download Submit
memory/308-17-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-325-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/308-4-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-19-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-29-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/308-25-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-21-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-7-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-3-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/308-23-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-51-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/308-50-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/308-52-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/308-34-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/308-32-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-330-0x0000000003D80000-0x0000000003D82000-memory.dmp

Filesize
8KB

Download
memory/308-36-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/308-10-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-11-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-13-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-15-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/308-35-0x0000000000400000-0x00000000012D8000-memory.dmp

Filesize
14.8MB

Download
memory/2224-2-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/2224-0-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2224-31-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2224-33-0x00000000023B0000-0x0000000002623000-memory.dmp

Filesize
2.4MB

Download
memory/2224-6-0x00000000049D0000-0x0000000004C43000-memory.dmp

Filesize
2.4MB

Download
memory/2224-1-0x00000000023B0000-0x0000000002623000-memory.dmp

Filesize
2.4MB

Download
memory/2500-331-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download