Overview

overview

10

Static

static

3

JaffaCakes...64.exe

windows7-x64

10

JaffaCakes...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 19:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe

  • Size

    944KB

  • MD5

    96a686bb248a355f9a720d9bf61ef064

  • SHA1

    b2a5177dfcdaa530c80f90f941de179ee2fb7b13

  • SHA256

    6738adf5533e75a138acd4a3529e06c684358e6357ed35032e2754f410bcb0fd

  • SHA512

    9f620190913834951e0374975554d15d00b596c15a9580fd81ad3301b76ba9387ceca3a7d261436d47178f848432a5e612584ab2f20a4d9aa4035f73ac0509a2

  • SSDEEP

    24576:hI1FoXBnpw8bzRhObDkvEbSDKC2UmKaHZfKYYPi:hMYBny0zD0DkvG8mKQCYY6

Score
10/10
darkcometguest16defense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

rawezhhacker.no-ip.org:1604

Mutex

DC_MUTEX-X873AH0

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    XcXCPdfMkCy9

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 38 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4732
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:680
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:724
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3340
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:972
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:2868
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2732
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
              PID:1128
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              5⤵
                PID:820
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1256
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3460
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3168
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1476
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4656
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                5⤵
                  PID:2220
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:924
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:4572
            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1192
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:4008
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          1⤵
            PID:2648
            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:2944
              • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1344
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            1⤵
              PID:4108
              • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:2336
                • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4160
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              1⤵
                PID:3388
                • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  PID:680
                  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                    C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                    3⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3604
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                1⤵
                  PID:3860
                  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                    C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    PID:4800
                    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                      C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4168
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                  1⤵
                    PID:540
                    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                      C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:4528
                      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:384
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                    1⤵
                      PID:1720
                      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        PID:1948
                        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                          C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2000
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                      1⤵
                        PID:4664
                        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                          C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:3236
                          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                            C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1464
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                        1⤵
                          PID:1580
                          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                            C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            PID:2280
                            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                              C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                              3⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:3512
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                          1⤵
                            PID:4020
                            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                              C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              PID:5112
                              • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:4028
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                            1⤵
                              PID:1624
                              • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:5080
                                • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                  3⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:1652
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                              1⤵
                                PID:3860
                                • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • System Location Discovery: System Language Discovery
                                  PID:1048
                                  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                    C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:3176
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                1⤵
                                  PID:3856
                                  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                    C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    PID:4884
                                    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                      C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                      3⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:4140
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                  1⤵
                                    PID:4636
                                    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                      C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • System Location Discovery: System Language Discovery
                                      PID:4948
                                      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                        3⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:1296
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                    1⤵
                                      PID:1032
                                      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:376
                                        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                          C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                          3⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:2704
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                      1⤵
                                        PID:5052
                                        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                          C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          PID:3116
                                          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                            C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                            3⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:2640
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                        1⤵
                                          PID:4228
                                          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                            C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:2136
                                            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                              C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:3140

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                          Filesize

                                          944KB

                                          MD5

                                          96a686bb248a355f9a720d9bf61ef064

                                          SHA1

                                          b2a5177dfcdaa530c80f90f941de179ee2fb7b13

                                          SHA256

                                          6738adf5533e75a138acd4a3529e06c684358e6357ed35032e2754f410bcb0fd

                                          SHA512

                                          9f620190913834951e0374975554d15d00b596c15a9580fd81ad3301b76ba9387ceca3a7d261436d47178f848432a5e612584ab2f20a4d9aa4035f73ac0509a2

                                          Download Submit

                                        • memory/972-24-0x0000000000B10000-0x0000000000B11000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1192-33-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1192-31-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1192-30-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1256-42-0x0000000000C60000-0x0000000000C61000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1344-56-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1344-55-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1344-54-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1476-16-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1476-17-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1476-15-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/1476-23-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/2732-44-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/2732-40-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/2732-43-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/2732-81-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/2732-70-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/2732-41-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/3604-75-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/3604-76-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/3604-74-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/4160-64-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/4160-66-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/4160-63-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/4168-87-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/4168-86-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/4168-85-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/4656-18-0x0000000000400000-0x00000000004ED000-memory.dmp

                                          Filesize

                                          948KB

                                          Download

                                        • memory/5004-48-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/5004-4-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/5004-1-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/5004-0-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/5004-2-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download

                                        • memory/5004-3-0x0000000000400000-0x00000000004D1000-memory.dmp

                                          Filesize

                                          836KB

                                          Download