Overview

overview

10

Static

static

3

NoMoreRansom.exe

windows10-1703-x64

10

NoMoreRansom.exe

windows10-2004-x64

10

NoMoreRansom.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1199s
  • max time network
    1174s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-03-2024 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NoMoreRansom.exe

  • Size

    1.4MB

  • MD5

    63210f8f1dde6c40a7f3643ccf0ff313

  • SHA1

    57edd72391d710d71bead504d44389d0462ccec9

  • SHA256

    2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

  • SHA512

    87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

  • SSDEEP

    12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score
10/10
troldeshpersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe
    "C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:244
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3012
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4052
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2124
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2908
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4720
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3692
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3440
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3532
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:296
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2528
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4740
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System32\xfs
    Filesize

    54KB

    MD5

    b2c8aaa769689003e8861c08fb7d28b3

    SHA1

    dafa524a81a84239e6f678c033e5c41fa130e4d9

    SHA256

    f5469e7ffb60c4c0397043704287cd7d463083acb3c0316dff1b7c75c6674fc6

    SHA512

    39e04d398b191827ea288c72f5d88adcdb99d55b383f22e99579429280525d675cc7c6fdcb7c30cbc1ae2ff315ebc0a72aef0da06325d18a0eda192f18e8b3b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
    Filesize

    1024KB

    MD5

    c2abe63f6e811aae5223d33c1ca13562

    SHA1

    b508f670c43f5beece175188653c8679b8828d83

    SHA256

    d5261dbd5e97cc43d8def9e28a158d47ead57059661345ace4f83e335fa17cba

    SHA512

    88e74f3cdc5329c66d3b35c24441443ddf6256a672ab0e437c8215a68dfe5edd8623437859cc786799010b02a3ef5594dc1fd3078bf2e441f1ea738c25a3c176

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    1241bf816f32750e4d54359140402a68

    SHA1

    f4031f2b4986ee4150a4dadd4ea0192bed6b8915

    SHA256

    8e67597ed6eb1ec4fce3fe98f7c99f4cc87f31e327f4587f5589dcabe08938b9

    SHA512

    b4bc61f9a7f7ec79b3ce3561fb30eca2daf53e2fd839cd123ac07fabaa9d16bd99b3e5c5b7737961bae2d77a82260f0e1fa626c61ee4d153521d141237120289

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    b7e082b6614cfd36dabeda03bafdfabc

    SHA1

    1d9dde2769b6ef810df8f4d561e5f36c294d39e4

    SHA256

    62adcb013db48b0d43c15ce07186740b4c73f2ec0607b8a016bdc4acab2c3d1e

    SHA512

    699d91ea05731d82edbe4af8480e4505d0c026d79809584a9821a741d7cd85bac524d0340abcf1f7255397ee9662671516b6ef702625f9af9743ecde185fe3f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    624f1772c59b029aaadde33de03bb52a

    SHA1

    d763d1da461597ff18ade2fc1b9b40f9e4c0d210

    SHA256

    591391fec4aa162c417c1c7feb47b13eb21763aca01026f37f6f253bd2958fb5

    SHA512

    f25dd3220fd6bcb19f76248f09ab2b93177fd996d5995068d2a55885ac864964c75dfbd09f5694438efc0bf8402a005d0e44267f2930f6152b8337ebc2f6fcd8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    6563c04e46d5f2fae83a2854097915ea

    SHA1

    51da449eb89793bcbd208bd2608f881c248759a9

    SHA256

    4133840425c25f91bec8e99b6a23a6a5449e92d83c20625be228f8c92f8a92d8

    SHA512

    de6643b8be03f5affed0f99e441564f81f4382c39b1b2cc34a21e1ca761b9801b0aa8f10882ae71d85a7f8e85321292cfe8f35a7f7a6cd40bd877dec10d48b7f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    24B

    MD5

    419a089e66b9e18ada06c459b000cb4d

    SHA1

    ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

    SHA256

    c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

    SHA512

    bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    1024KB

    MD5

    8462b4292fcc79de20ce4bce9f5e7bb7

    SHA1

    8783a23244e142ad5eab0b993f082c80a177ad80

    SHA256

    dafb66477ca352aa3cec484836903dce80f4a3bedb5405982a02e65cc0c18846

    SHA512

    5c2747c3e347b15cf9ae7c8aebd0803563dcd51b3fde9f6f80908c84d9fe77f56a44b51ba2dab24d281b83032b1be3d05ae1657e9bc13cb652e340ff15efc01d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
    Filesize

    1024KB

    MD5

    5d51020c5c7638700a10cc0ce9dde4ff

    SHA1

    99585ac192d882cacbb7d58feaf2b7a4d2633688

    SHA256

    43e61d577f9f188faf2d8ee8b39906a94a098431ac4e223d03df1f132821ce03

    SHA512

    11de0915a5f113c1d46a637e568092bb3e3be70ca2f80ce01d0979a3799051db899c996279ed7c0eafd2ca26eee6a4e0160d994e09940b1e5ce3f04eaac2b943

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    Filesize

    24B

    MD5

    ae6fbded57f9f7d048b95468ddee47ca

    SHA1

    c4473ea845be2fb5d28a61efd72f19d74d5fc82e

    SHA256

    d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

    SHA512

    f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    5a7e020ba68fa1d472a9720366c289ac

    SHA1

    efbc5340b726dbe321f676118fc6f2edd12159e8

    SHA256

    a45a63cc7d8ee3e6b28ca7fa71539f0968aafefb97b3b1a2c1554595d48eca1e

    SHA512

    2a0d35f7263faea87bb34ff4c30218b49bc6dd0e8d41e72323325406afb60543d31e6be4c2b874a9251e486c6c98e14d6826053ada8bcacfe46b26d0487592f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    8a2c7be1c8f1be25c83981ca80cc9aa2

    SHA1

    ae16ef350760adc4d84dd9c91233698a398d9fc9

    SHA256

    eeebb52edecf1895f57eb4b6d7eee563b57282b44a8db8daa9b67de17ed375ae

    SHA512

    ac5f19d1fa78ea9a5ccce6c0d106d07932390ed32299afb475a0160ed879357fa74d5a0fa32800a1d49136f7a96472bed8e84a0c91c38ba5d2bdca1abe828b73

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
    Filesize

    6KB

    MD5

    f5396d8f24ac8cc273def540d7ed22d7

    SHA1

    39f43a6a465263513026ce20a14f99b3aa746c16

    SHA256

    3e51ab0a23091866d2fca8d46e69f50d9bc529da2ce6ac40f13d1ea65e10524e

    SHA512

    31bc886a9834ec5e0fefea309e100ab433994ea6b89d54c739647f199b2582f3b87bdf2a41be084122aa5dfad32961e94aa6299a4d4cb92a1a4dc8599bccd88f

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    078b6d53ecafc8a075154aa522c60903

    SHA1

    17feca86c9949f8adbace33cafbf2b3dd39ab76e

    SHA256

    cea3213e2d2a5c8cae76d7e95c193c59ff167b11747a81eb475fcf2b508303fd

    SHA512

    c9c72c55a1cb20a1417fee93eb4b46a6738e220e9a83b5a295813dc0805d441873c7e409e7dd137ab9ec67a6334683a7ffe4ffeb3b9c811cfee850614d28e0fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133539819201063822.txt
    Filesize

    2KB

    MD5

    65d939ef67bf440d30c8dee4eebe4890

    SHA1

    5aa8c724f2e458d7c7c6fe7bd6daf0f48b13fc40

    SHA256

    e7abcd543a39be760c610fb1cd8a101abfffc6002e47aaf7dea39b31f94a3531

    SHA512

    8237d8dcab2898614b13f052ca540e6f094b7eb4653a110b572967b3fd34c5d29982cb1ada9a4e38702d08cf736c684ae8269aeac55f0fcbcc2d5b04dfbb50e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133539819307757841.txt
    Filesize

    66KB

    MD5

    d37b6121f7a3c40f795173388454be32

    SHA1

    5960afcebc7f3ccd04e54ae9c00431a5d61028de

    SHA256

    725e8494c959dfca98efe89b60484917207af5a994e63489369fef0873c5012e

    SHA512

    4f8c14576576528a3c19010581b818ba5fd2982251f711fa4b52fc7b9e5e72c9862395379b7f558d3bb311d4018deb1d7321ab92cb6c415a06ae30cd5c01b486

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
    Filesize

    2KB

    MD5

    36927d7c28fb653da82af753dd146f5b

    SHA1

    8c5bb4f6502aa2d52683fbca2f28bfb9ad8b0878

    SHA256

    9c2ad878389477b7c98dcfc46b4e072c87a8baeb1c903e58a732a38ac1310dfe

    SHA512

    88f091b434de98886cc8b4094144be87e9be8bd7882f4f4b2f7e23417b12274b202be0f335d61706a67a08ec0f719e7a6de0c3ebcf5e1bd2af169819f02ed0b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\D08ZSWUJ\www.bing[1].xml
    Filesize

    13B

    MD5

    c1ddea3ef6bbef3e7060a1a9ad89e4c5

    SHA1

    35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

    SHA256

    b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

    SHA512

    6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\D08ZSWUJ\www.bing[1].xml
    Filesize

    96B

    MD5

    9f0611eee55944746152f1e630a54f42

    SHA1

    6f627cf789c7305983a4f952b80f9864fac7400f

    SHA256

    62d4c043deb2cc6b4e23d903c295a34fa98e06db7a9525ef361793d32c7d46f2

    SHA512

    192f50d9b0dc8534b9074476c12a4baa1787f4646ced2bfbe651a93bafdcf1d6e4597683ed8cb5d8567422aa1cb0249634736dcfaaef6babe273f21982148553

    Download Submit

  • C:\Users\Admin\AppData\Roaming\12A8477612A84776.bmp
    Filesize

    2.2MB

    MD5

    7c6210b6f6f030e6eea5ba41a1db72cd

    SHA1

    c5cfa2f808395221998def6c0c98f25a6ebb0235

    SHA256

    196afd9e931c32616fba467947dc7e7119c166f3af07249b11890e2ef85d0c26

    SHA512

    8fa354f9eee7d4bf9f0fed889837e0b4571d1508a5a044553aee35532254efcea8ce085bdf6880e9a4531fa49b3052403b27d0c47128505df8781b18652d0b3a

    Download Submit

  • memory/4908-42-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-53-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-22-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-23-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-24-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-25-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-26-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-27-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-28-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-29-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-30-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-31-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-32-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-33-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-34-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-35-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-36-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-37-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-38-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-39-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-40-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-41-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-20-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-43-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-44-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-45-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-46-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-47-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-48-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-49-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-50-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-51-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-52-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-21-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-54-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-55-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-56-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-57-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-58-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-59-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-60-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-61-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-62-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-63-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-64-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-65-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-19-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-18-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-17-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-16-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-13-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-12-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-11-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-10-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-9-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-5-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-4-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-3-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-2-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-1-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-0-0x0000000002430000-0x00000000024FE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/4908-66-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-67-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-68-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-69-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4908-70-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download