metasploit | 1e4a272c8c9fe3dfe2c7a934061bb74413a91531b64cd14fd89c442cac4daaf6

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
Size

168KB
MD5

d044fcd54a910b1329f96559be56be22
SHA1

535a917082ffb6b4d90e68ab13e983b80799130f
SHA256

1e4a272c8c9fe3dfe2c7a934061bb74413a91531b64cd14fd89c442cac4daaf6
SHA512

4b6ffb077486c791b4f0f97efdc994ea528d1144f75d5c0843f6f7503d37834cb43bc2db470f031fe3fb4e9fff7307d1346a48a3c010ed1a73bc3067e5cbac25
SSDEEP

3072:/T5At29FjGLyqJXJHiG9FpombMOFeZTPJNW1y2uvU69qTlXQ0ux:/xDjGLzGGe8MOct21Bu3sVKx

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wnpjt1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wnpjt1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wnpjt1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wnpjt1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4676	wnpjt1.exe

Executes dropped EXE 10 IoCs

pid	Process
220	wnpjt1.exe
4676	wnpjt1.exe
1984	wnpjt1.exe
3508	wnpjt1.exe
924	wnpjt1.exe
2632	wnpjt1.exe
3536	wnpjt1.exe
1656	wnpjt1.exe
4492	wnpjt1.exe
2828	wnpjt1.exe

Maps connected drives based on registry 3 TTPs 12 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpjt1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpjt1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpjt1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpjt1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpjt1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wnpjt1.exe	wnpjt1.exe
File created	C:\Windows\SysWOW64\wnpjt1.exe	wnpjt1.exe
File opened for modification	C:\Windows\SysWOW64\wnpjt1.exe	wnpjt1.exe
File created	C:\Windows\SysWOW64\wnpjt1.exe	wnpjt1.exe
File opened for modification	C:\Windows\SysWOW64\wnpjt1.exe	wnpjt1.exe
File created	C:\Windows\SysWOW64\wnpjt1.exe	wnpjt1.exe
File opened for modification	C:\Windows\SysWOW64\wnpjt1.exe	wnpjt1.exe
File created	C:\Windows\SysWOW64\wnpjt1.exe	wnpjt1.exe
File opened for modification	C:\Windows\SysWOW64\wnpjt1.exe	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wnpjt1.exe	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4376 set thread context of 3660	4376	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	82
PID 220 set thread context of 4676	220	wnpjt1.exe	84
PID 1984 set thread context of 3508	1984	wnpjt1.exe	96
PID 924 set thread context of 2632	924	wnpjt1.exe	98
PID 3536 set thread context of 1656	3536	wnpjt1.exe	100
PID 4492 set thread context of 2828	4492	wnpjt1.exe	102

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3660-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3660-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3660-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3660-4-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3660-31-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3660-39-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4676-43-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4676-45-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4676-44-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4676-46-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4676-48-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4676-49-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3508-55-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3508-56-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3508-58-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2632-64-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2632-69-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1656-75-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1656-79-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2828-85-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpjt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wnpjt1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpjt1.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wnpjt1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpjt1.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wnpjt1.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wnpjt1.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpjt1.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wnpjt1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpjt1.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3660	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
3660	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
4676	wnpjt1.exe
4676	wnpjt1.exe
3508	wnpjt1.exe
3508	wnpjt1.exe
2632	wnpjt1.exe
2632	wnpjt1.exe
1656	wnpjt1.exe
1656	wnpjt1.exe
2828	wnpjt1.exe
2828	wnpjt1.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3660	4376	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	82
PID 4376 wrote to memory of 3660	4376	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	82
PID 4376 wrote to memory of 3660	4376	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	82
PID 4376 wrote to memory of 3660	4376	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	82
PID 4376 wrote to memory of 3660	4376	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	82
PID 4376 wrote to memory of 3660	4376	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	82
PID 4376 wrote to memory of 3660	4376	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	82
PID 3660 wrote to memory of 220	3660	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	83
PID 3660 wrote to memory of 220	3660	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	83
PID 3660 wrote to memory of 220	3660	d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe	83
PID 220 wrote to memory of 4676	220	wnpjt1.exe	84
PID 220 wrote to memory of 4676	220	wnpjt1.exe	84
PID 220 wrote to memory of 4676	220	wnpjt1.exe	84
PID 220 wrote to memory of 4676	220	wnpjt1.exe	84
PID 220 wrote to memory of 4676	220	wnpjt1.exe	84
PID 220 wrote to memory of 4676	220	wnpjt1.exe	84
PID 220 wrote to memory of 4676	220	wnpjt1.exe	84
PID 4676 wrote to memory of 1984	4676	wnpjt1.exe	95
PID 4676 wrote to memory of 1984	4676	wnpjt1.exe	95
PID 4676 wrote to memory of 1984	4676	wnpjt1.exe	95
PID 1984 wrote to memory of 3508	1984	wnpjt1.exe	96
PID 1984 wrote to memory of 3508	1984	wnpjt1.exe	96
PID 1984 wrote to memory of 3508	1984	wnpjt1.exe	96
PID 1984 wrote to memory of 3508	1984	wnpjt1.exe	96
PID 1984 wrote to memory of 3508	1984	wnpjt1.exe	96
PID 1984 wrote to memory of 3508	1984	wnpjt1.exe	96
PID 1984 wrote to memory of 3508	1984	wnpjt1.exe	96
PID 3508 wrote to memory of 924	3508	wnpjt1.exe	97
PID 3508 wrote to memory of 924	3508	wnpjt1.exe	97
PID 3508 wrote to memory of 924	3508	wnpjt1.exe	97
PID 924 wrote to memory of 2632	924	wnpjt1.exe	98
PID 924 wrote to memory of 2632	924	wnpjt1.exe	98
PID 924 wrote to memory of 2632	924	wnpjt1.exe	98
PID 924 wrote to memory of 2632	924	wnpjt1.exe	98
PID 924 wrote to memory of 2632	924	wnpjt1.exe	98
PID 924 wrote to memory of 2632	924	wnpjt1.exe	98
PID 924 wrote to memory of 2632	924	wnpjt1.exe	98
PID 2632 wrote to memory of 3536	2632	wnpjt1.exe	99
PID 2632 wrote to memory of 3536	2632	wnpjt1.exe	99
PID 2632 wrote to memory of 3536	2632	wnpjt1.exe	99
PID 3536 wrote to memory of 1656	3536	wnpjt1.exe	100
PID 3536 wrote to memory of 1656	3536	wnpjt1.exe	100
PID 3536 wrote to memory of 1656	3536	wnpjt1.exe	100
PID 3536 wrote to memory of 1656	3536	wnpjt1.exe	100
PID 3536 wrote to memory of 1656	3536	wnpjt1.exe	100
PID 3536 wrote to memory of 1656	3536	wnpjt1.exe	100
PID 3536 wrote to memory of 1656	3536	wnpjt1.exe	100
PID 1656 wrote to memory of 4492	1656	wnpjt1.exe	101
PID 1656 wrote to memory of 4492	1656	wnpjt1.exe	101
PID 1656 wrote to memory of 4492	1656	wnpjt1.exe	101
PID 4492 wrote to memory of 2828	4492	wnpjt1.exe	102
PID 4492 wrote to memory of 2828	4492	wnpjt1.exe	102
PID 4492 wrote to memory of 2828	4492	wnpjt1.exe	102
PID 4492 wrote to memory of 2828	4492	wnpjt1.exe	102
PID 4492 wrote to memory of 2828	4492	wnpjt1.exe	102
PID 4492 wrote to memory of 2828	4492	wnpjt1.exe	102
PID 4492 wrote to memory of 2828	4492	wnpjt1.exe	102

C:\Users\Admin\AppData\Local\Temp\d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d044fcd54a910b1329f96559be56be22_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\wnpjt1.exe
    "C:\Windows\system32\wnpjt1.exe" C:\Users\Admin\AppData\Local\Temp\D044FC~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\wnpjt1.exe
      "C:\Windows\system32\wnpjt1.exe" C:\Users\Admin\AppData\Local\Temp\D044FC~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\SysWOW64\wnpjt1.exe
        
        "C:\Windows\system32\wnpjt1.exe" C:\Windows\SysWOW64\wnpjt1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\wnpjt1.exe
        
        "C:\Windows\system32\wnpjt1.exe" C:\Windows\SysWOW64\wnpjt1.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\wnpjt1.exe
        
        "C:\Windows\system32\wnpjt1.exe" C:\Windows\SysWOW64\wnpjt1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\wnpjt1.exe
        
        "C:\Windows\system32\wnpjt1.exe" C:\Windows\SysWOW64\wnpjt1.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\wnpjt1.exe
        
        "C:\Windows\system32\wnpjt1.exe" C:\Windows\SysWOW64\wnpjt1.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\wnpjt1.exe
        
        "C:\Windows\system32\wnpjt1.exe" C:\Windows\SysWOW64\wnpjt1.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\wnpjt1.exe
        
        "C:\Windows\system32\wnpjt1.exe" C:\Windows\SysWOW64\wnpjt1.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\wnpjt1.exe
        
        "C:\Windows\system32\wnpjt1.exe" C:\Windows\SysWOW64\wnpjt1.exe
        12⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wnpjt1.exe

Filesize
168KB

MD5
d044fcd54a910b1329f96559be56be22

SHA1
535a917082ffb6b4d90e68ab13e983b80799130f

SHA256
1e4a272c8c9fe3dfe2c7a934061bb74413a91531b64cd14fd89c442cac4daaf6

SHA512
4b6ffb077486c791b4f0f97efdc994ea528d1144f75d5c0843f6f7503d37834cb43bc2db470f031fe3fb4e9fff7307d1346a48a3c010ed1a73bc3067e5cbac25

Download Submit
memory/1656-79-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1656-75-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2632-69-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2632-64-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2828-85-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3508-55-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3508-58-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3508-56-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3660-31-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3660-39-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3660-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3660-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3660-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3660-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4676-46-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4676-48-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4676-49-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4676-44-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4676-45-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4676-43-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download