Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ea184a14a4...18.exe

windows7-x64

10

ea184a14a4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/12/2024, 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe

  • Size

    530KB

  • MD5

    ea184a14a40394f152e2c08eb9ba62ee

  • SHA1

    80a98688698a29681588d5fa23382b1fa33279b5

  • SHA256

    46a8154f10cee5ed12613adee278ae790a10b359191ce045e94d0d8191f1389d

  • SHA512

    d0232a2e16c8bf3e160446ee139c23ee0562b0e0161aa1153af84452be0db7a859a5a27e9e1f917186b25339f9be1a298218d21021f12a5758d07e0ff3156ac6

  • SSDEEP

    6144:GrtIRxHou3JQW6ioI+CCeNsHLFwoRgv/uxEj0qqVqOjgsVP/RG4vDuK8tFAnpLLC:GORP36Wz8CCeMF5s2jBLG4buJgtY6qZ

Score
10/10
discoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 5 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1788
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4772
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2140
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3516
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4200
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2316
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe"
        3⤵
        • Executes dropped EXE
        PID:1640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:468
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4832
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4292
    • C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe"
      2⤵
        PID:3064

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    5
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      8a55804eb03a434490f09a486d092b33

      SHA1

      ba7388faf188f3f6c1491b237e687f77ef5b507f

      SHA256

      7a9179df2d07f4aa90505eb43e96849980aa2f606188a62d6bd274ff32d87695

      SHA512

      2a2a6e8eccbd7803dd4757bc584f06f3409c826ef3be2bf4eba68e63825875cee9245c49eecfc5d25233a96179c491a4f84890a612b5a8a45e03e4a560881351

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      873b6e23e13376607989a290c55e6f44

      SHA1

      3a9b595444e78c45317a83d814e4dd7cad10e128

      SHA256

      eb0ebdcaf4083205bb9bdedd9a5b37244f3b18896c1333637937afef38d71e0a

      SHA512

      0c847a592a8f66bfd0d94bf649236180d7f903c39e04874f0fa23c73e046c975f55af3751ba1b42340f1fc8b91312d6c428920ab2ddc7ea0b3955f9ad7d0b994

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      127b8a8f71649d00cd4315ea570b16a5

      SHA1

      37655307f831fb9d642e65adcaea135a39c69c0a

      SHA256

      779c2ce03d2eb8e7778df0dc5f4d7f0bda8642aed9654ae412fbd059a77b4b97

      SHA512

      db29350353e9ede2aaa1d4b760a4a2dbe240bc23b72671d6f2667f36716fe7bbbad8fa4062d895072324977d446278a1c86ae27a7702266356dae0af2ddbcce5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      2a0b917aa88ccb16a254c6307cf75380

      SHA1

      8352a03d6e0d200047c0d199dd750b76035f776b

      SHA256

      8730263dcea81b473171f967c5624823b09a9bc36632d46db8c94666cf1db4ef

      SHA512

      2f87b16f282a30e013315f4249d0135b887dc4e6e0278013f0147075f54444c5d26f285e0d6190604ce0905ab0173a89ea6815820b79634398c42c6270c141da

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      314300ca274bedb706bda214e58054eb

      SHA1

      dd56f8598dbc1be93a9c7f3c6c93414612a8469b

      SHA256

      147ba478f92330bea804ea3bbe11394f4db64ef0a12e932915d80d8d19aff939

      SHA512

      651f96fc9c8c990646b4c89b450902993e7bf3e9261bebb722304a7b6af8769e967efed8274d70158550197c7edcf9b0e157b96d3062dd325375546307bc5efc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      e320840dce4223bd7130a74a4a644da6

      SHA1

      6890db0054912cb418767ae052c7e3607bd41754

      SHA256

      4d8390d7154d4dbfb7b3057207853e7a66fe50ff38e4298dc91a0247ffb62be6

      SHA512

      8307708de3f6dee638bac3a390d93df1d04c7a474fe8621d902ad10a447b0242cd1c981f13961e7497a1fe76fcd8433b8c5db1484262b7dca6a7878ae8f01ade

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      685d2494a7772369b20461a57e2e5bf5

      SHA1

      c12b9cb96da2cca25bf1de7ade24c21b29ce594e

      SHA256

      0d1fbff057cf03362bb5788384a89efaad48d13eb896065ebc1734e8699836ef

      SHA512

      a54d70b005cdc73f7defaf1c3998df0c5ee5a9a835f6fb79d430e7fb511075e2f013e4199d2d20a045a6f5a6fc1b4777adfc9b6ee46cd195127e562079eeceed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nvbkxqie.qaq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe
      Filesize

      530KB

      MD5

      ea184a14a40394f152e2c08eb9ba62ee

      SHA1

      80a98688698a29681588d5fa23382b1fa33279b5

      SHA256

      46a8154f10cee5ed12613adee278ae790a10b359191ce045e94d0d8191f1389d

      SHA512

      d0232a2e16c8bf3e160446ee139c23ee0562b0e0161aa1153af84452be0db7a859a5a27e9e1f917186b25339f9be1a298218d21021f12a5758d07e0ff3156ac6

      Download Submit

    • memory/468-173-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1692-228-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1788-250-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1788-9-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1788-272-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1788-27-0x0000000005A00000-0x0000000005A66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1788-216-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1788-38-0x0000000006240000-0x0000000006594000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1788-11-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1788-26-0x00000000058E0000-0x0000000005946000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1788-25-0x00000000056C0000-0x00000000056E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1788-204-0x0000000007D30000-0x0000000007DC6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1788-8-0x0000000002E80000-0x0000000002EB6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1788-264-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1788-24-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1788-238-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1788-10-0x0000000005B10000-0x0000000006138000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1788-251-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1788-151-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2140-183-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2316-240-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2840-161-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2840-239-0x0000000007570000-0x0000000007584000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2840-253-0x0000000007650000-0x0000000007658000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3516-92-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3516-28-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4200-217-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4292-194-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4772-80-0x0000000006670000-0x00000000066BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4772-139-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4772-277-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4772-193-0x00000000079D0000-0x00000000079DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4772-12-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4772-227-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4772-171-0x0000000007FA0000-0x000000000861A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4772-172-0x0000000007960000-0x000000000797A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4772-138-0x00000000075B0000-0x00000000075E2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4772-150-0x0000000007820000-0x00000000078C3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4772-149-0x00000000077F0000-0x000000000780E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4772-23-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4772-252-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4772-205-0x0000000007B60000-0x0000000007B71000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4772-79-0x0000000006620000-0x000000000663E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4832-206-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4884-254-0x0000000070320000-0x000000007036C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4940-65-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4940-58-0x00000000055D0000-0x00000000055DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4940-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4940-6-0x0000000004F30000-0x0000000004FC2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4940-5-0x00000000055E0000-0x0000000005B84000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4940-4-0x0000000004D50000-0x0000000004DD6000-memory.dmp

      Filesize

      536KB

      Download

    • memory/4940-3-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4940-2-0x0000000004DE0000-0x0000000004E7C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4940-1-0x00000000003A0000-0x000000000042A000-memory.dmp

      Filesize

      552KB

      Download