Overview

overview

10

Static

static

3

095b7c9aaf...4f.exe

windows7-x64

10

095b7c9aaf...4f.exe

windows10-1703-x64

10

095b7c9aaf...4f.exe

windows10-2004-x64

10

095b7c9aaf...4f.exe

windows11-21h2-x64

10

Resubmissions

11-04-2024 06:50

240411-hl165seb22 10

11-04-2024 06:50

240411-hl1klsea99 10

11-04-2024 06:49

240411-hlr88shb41 10

11-04-2024 06:49

240411-hlnk2sea97 10

11-04-2024 06:49

240411-hlkt6ahb4z 10

07-04-2024 08:26

240407-kb93eahd32 10

07-04-2024 08:26

240407-kb3y4ahd25 10

Analysis

  • max time kernel
    1793s
  • max time network
    1386s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-04-2024 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    095b7c9aafb975f3732092b03b97ff4f.exe

  • Size

    1.4MB

  • MD5

    095b7c9aafb975f3732092b03b97ff4f

  • SHA1

    db77f3b9c3db3f5d016221471f828fbb06e740f7

  • SHA256

    8827d1935a406a4a39e3da4b8c994753d7cbddf55ea386ac1bdfe17cf2a6f6f1

  • SHA512

    29612b32e2e6e9723e2041ee20f7df05ca7d18828270444a4d12b5ee5e2641a149f9880d84cc83054a9f768eeea43bc27fccc81187b97363321e10572285a05a

  • SSDEEP

    12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXekQ:KgoLetlLS8tz6V+PwD0XVMrXCNDxtY

Score
10/10
troldeshpersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 61 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\095b7c9aafb975f3732092b03b97ff4f.exe
    "C:\Users\Admin\AppData\Local\Temp\095b7c9aafb975f3732092b03b97ff4f.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2976
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2276
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4452
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3736
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4580
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:5104
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1040
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:288
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3692
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3820
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4120
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:304
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System32\xfs
    Filesize

    56KB

    MD5

    68e06de4e23ecd7bc3031180ce27fdc2

    SHA1

    07f1fc0710e508290cd1093334935be46dd764b1

    SHA256

    5fd1901e33723d4f9d21af1f00629483f81bda45bc3ed066ea751335daed803d

    SHA512

    49561b45151bab1dd14004fa91442e23a80674008c801fbcb080ba4cf270aab24eaa1aa9b7caee107c7fcf36d091d7092f75f9e3de582482562faa90b8755a8b

    Download Submit

  • C:\ProgramData\Windows\csrss.exe
    Filesize

    1.4MB

    MD5

    095b7c9aafb975f3732092b03b97ff4f

    SHA1

    db77f3b9c3db3f5d016221471f828fbb06e740f7

    SHA256

    8827d1935a406a4a39e3da4b8c994753d7cbddf55ea386ac1bdfe17cf2a6f6f1

    SHA512

    29612b32e2e6e9723e2041ee20f7df05ca7d18828270444a4d12b5ee5e2641a149f9880d84cc83054a9f768eeea43bc27fccc81187b97363321e10572285a05a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
    Filesize

    1024KB

    MD5

    c2abe63f6e811aae5223d33c1ca13562

    SHA1

    b508f670c43f5beece175188653c8679b8828d83

    SHA256

    d5261dbd5e97cc43d8def9e28a158d47ead57059661345ace4f83e335fa17cba

    SHA512

    88e74f3cdc5329c66d3b35c24441443ddf6256a672ab0e437c8215a68dfe5edd8623437859cc786799010b02a3ef5594dc1fd3078bf2e441f1ea738c25a3c176

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    1241bf816f32750e4d54359140402a68

    SHA1

    f4031f2b4986ee4150a4dadd4ea0192bed6b8915

    SHA256

    8e67597ed6eb1ec4fce3fe98f7c99f4cc87f31e327f4587f5589dcabe08938b9

    SHA512

    b4bc61f9a7f7ec79b3ce3561fb30eca2daf53e2fd839cd123ac07fabaa9d16bd99b3e5c5b7737961bae2d77a82260f0e1fa626c61ee4d153521d141237120289

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    8ef47dcdb2e13f52b3363915337ec3f8

    SHA1

    f1ded9babea6e054e43ca63f21ae30f8d3356eb0

    SHA256

    0b6c3420a5f223b11913508675466b73e6600e30fed675cb212f14e2467f69ff

    SHA512

    75f881882c3afccc285348195e4a781f8d2bf4c87978f72a9822c212850a08840890d6a6259054cc5bf056636112ce17cef9db9854ad5ef6cfa7540549e7a8c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    624f1772c59b029aaadde33de03bb52a

    SHA1

    d763d1da461597ff18ade2fc1b9b40f9e4c0d210

    SHA256

    591391fec4aa162c417c1c7feb47b13eb21763aca01026f37f6f253bd2958fb5

    SHA512

    f25dd3220fd6bcb19f76248f09ab2b93177fd996d5995068d2a55885ac864964c75dfbd09f5694438efc0bf8402a005d0e44267f2930f6152b8337ebc2f6fcd8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    d34956ceec8a6eda07eee1ed8c316eec

    SHA1

    cccd5e940e619a3c1aef1289fb36093d375b40b6

    SHA256

    1495305c78a0abfa67e6a412ef0de3c5c59f59b089a563291c4e5737f3fe32c8

    SHA512

    dc6c9aa31b2f1dc66d2eaae16339f63c18e1bcf8c7539a2b9c507341fd354328f025c0f0ad997886d90883d3de03b2e00172480f78f9cfb86668cb729f551d97

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    24B

    MD5

    419a089e66b9e18ada06c459b000cb4d

    SHA1

    ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

    SHA256

    c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

    SHA512

    bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    1024KB

    MD5

    c021b2ab8fecdab1f4dafd2e73df02c9

    SHA1

    1f76835978d1d1e11d094aea14266410dad7b172

    SHA256

    6bddd4ce7db054b8f782f5ec6073afb9cb60c98d85f5315dfb140ea0368c8190

    SHA512

    6c04e885341f5b9939f53dcf8330fa9f8ceb28e9ffeec48e8cd2706ed9e722606e205665972c1a9b9450eb77eccc7e0e0b89785cc5a933ecb2fa31b7bf885705

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    Filesize

    24B

    MD5

    ae6fbded57f9f7d048b95468ddee47ca

    SHA1

    c4473ea845be2fb5d28a61efd72f19d74d5fc82e

    SHA256

    d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

    SHA512

    f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    5a7e020ba68fa1d472a9720366c289ac

    SHA1

    efbc5340b726dbe321f676118fc6f2edd12159e8

    SHA256

    a45a63cc7d8ee3e6b28ca7fa71539f0968aafefb97b3b1a2c1554595d48eca1e

    SHA512

    2a0d35f7263faea87bb34ff4c30218b49bc6dd0e8d41e72323325406afb60543d31e6be4c2b874a9251e486c6c98e14d6826053ada8bcacfe46b26d0487592f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    21309f5fec2d1f47e57dbfb86ed08008

    SHA1

    7962498dd3c30d26117d02c90f737e4ad5beeb94

    SHA256

    671254e2e8ce95afb472ddc54b473e4b0a6cc2444ce339f2bb6563940f67c227

    SHA512

    970342078260efd77e632a52dbe54cb77a662ccf8eef3fe9c1be938966dd0c4c7fcdc084de36e40f5a7c4135b24b230503c917325461313d30d41b2f1684d45e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    606e077ccf00d2db33fc4e2b34d20336

    SHA1

    6bc8ba921a97915ca0478ad035c4e968a04be2a0

    SHA256

    bd3ca8822449510ff9dae99abdc09d83fa1ed6d37ff3637dcb6d36b30c4ef5fa

    SHA512

    17f11eb1af5fb43c93300161528af3aabd7ded840f93b5d31ce706cfcbf6c088f71d6e9902b5f8e103abbdf9a32b65423cadd288226ee28bfc645786d7e2a460

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
    Filesize

    7KB

    MD5

    0df3609f4f2f6457d21ff1ca43c3f17c

    SHA1

    7aeb8eae01ca9de72cf3b16ff5c42dc458c34d3f

    SHA256

    403114e498c46b4e31d75b0e12ff24bead159308ba62ce96f0e96b51c4942004

    SHA512

    95efa29d6bb75e19fbe0e31fc4e4252ca6839406cd6de7a15fe56b4dc6e7cafea995366694b143688c567eff5e044ec380e34490261e83747ae303db266a55c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
    Filesize

    11KB

    MD5

    c19ebab8f7d6e4aad717ba00c3f3c59a

    SHA1

    aeaf614c2a1da77fd9df8ae66df69e78ec1ae301

    SHA256

    dce05d9cfa5f5149fd343a795fa0044f55805abf36ca2f42192813c696781a16

    SHA512

    b5ddc58d5a0438e02fb549fcb460896eb51506ef24bef9b2108b49a778e0922ed1976c7b2dfa0179eed33e6e188c4e54b5bb4e04ae9da7e4cadfc63e98f0cfdc

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133572931389518601.txt
    Filesize

    3KB

    MD5

    1a7fb1f78bcee133e90dc30885018c1e

    SHA1

    65a093089642fab6ccad1904085321d228d20ffd

    SHA256

    541aef03c7607d75dc69bedf142fdbe02bd9ad2e926826b339a1fc8a29b4b707

    SHA512

    306777d91b0adf6ff5191f100844b4ce3713edd51e21e6bb6f63ec7bd28dee23cbc0da622f0ab3a5f7c024eb53610389d353b6bacd5d427816ce195aa7e3b327

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133572931487280623.txt
    Filesize

    67KB

    MD5

    c77193884ea6bf6d099eabe663cf9d82

    SHA1

    2ce954f9997e756b343233588a32bf991879d750

    SHA256

    a5907bb44e401f43c128f6cb2016f310fe66354b21190f601a5b1c0adae88fb4

    SHA512

    285f8cddb72ee118afbd7cda3cfcf7158a6fdfbe4f72d7965769a8c212a75e99d0b4d6f111c285db1c1b5ab52aeb469fdce7a61b932d1f12bb99c7714b98508b

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
    Filesize

    3KB

    MD5

    7c207a060e293c612b6ed4e62465efe6

    SHA1

    bda2108f26dd5f2d06cfe7445f23771ae46291e4

    SHA256

    95cf028e895ddc83a208cfafdc7c4ae832d78aac0c62b0579332f86a696d59e8

    SHA512

    1988d0477b0ff220214c2ddcf953044e27d077591d5ac66230b464338e8dd470513d631b485093beeb64f5d11c30fe48ffb058c574e2f2c6c7f4a1afbe8d2659

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\JNCT5SRZ\www.bing[1].xml
    Filesize

    13B

    MD5

    c1ddea3ef6bbef3e7060a1a9ad89e4c5

    SHA1

    35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

    SHA256

    b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

    SHA512

    6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EFDE6E09EFDE6E09.bmp
    Filesize

    2.6MB

    MD5

    993cc909a89f0fb7fe90acc3703c2105

    SHA1

    f422cdcb426718b235a19080b0daf71c9b448768

    SHA256

    4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

    SHA512

    5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

    Download Submit

  • memory/3980-42-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-53-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-22-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-23-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-24-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-25-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-26-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-27-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-28-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-29-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-30-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-31-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-32-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-33-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-34-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-35-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-36-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-37-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-38-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-39-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-40-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-41-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-20-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-43-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-44-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-45-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-46-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-47-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-48-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-49-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-50-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-51-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-52-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-21-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-54-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-55-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-56-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-57-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-58-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-59-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-60-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-61-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-62-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-63-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-64-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-65-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-66-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-19-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-18-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-15-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-14-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-13-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-12-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-11-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-10-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-9-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-5-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-4-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-3-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-1-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-2-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-0-0x0000000000CB0000-0x0000000000D7E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3980-67-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-68-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-69-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-70-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3980-71-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download