Overview

overview

10

Static

static

3

7a4d85a1be...cs.exe

windows7-x64

10

7a4d85a1be...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe

  • Size

    388KB

  • MD5

    7a4d85a1bef0ca4cecfe376e0ee91090

  • SHA1

    0eaab4a4cf009d2d0d2d525bad4742356ca06317

  • SHA256

    0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0

  • SHA512

    963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280

  • SSDEEP

    6144:VPHkQ4ydZZb+Q7Qf4+4/X+8PvjAsYcHte9qYJkIb/VNIFNgQfo/Xse6+pA+Z0S:BrZZbJu4+Q+8RBe9qYacVNyN/l+pn5

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cedmc.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/47E1DDA5B81473DC 2. http://tes543berda73i48fsdfsd.keratadze.at/47E1DDA5B81473DC 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/47E1DDA5B81473DC If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/47E1DDA5B81473DC 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/47E1DDA5B81473DC http://tes543berda73i48fsdfsd.keratadze.at/47E1DDA5B81473DC http://tt54rfdjhb34rfbnknaerg.milerteddy.com/47E1DDA5B81473DC *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/47E1DDA5B81473DC
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/47E1DDA5B81473DC

http://tes543berda73i48fsdfsd.keratadze.at/47E1DDA5B81473DC

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/47E1DDA5B81473DC

http://xlowfznrg4wf7dli.ONION/47E1DDA5B81473DC

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (423) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\tcyogklqnrhx.exe
        C:\Windows\tcyogklqnrhx.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\tcyogklqnrhx.exe
          C:\Windows\tcyogklqnrhx.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2348
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1992
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:2156
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1916
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2964
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TCYOGK~1.EXE
            5⤵
              PID:2752
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\7A4D85~1.EXE
          3⤵
          • Deletes itself
          PID:2876
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cedmc.html
      Filesize

      11KB

      MD5

      f6df4701e1b9bc30720540a1798d2ab0

      SHA1

      cff77997a8e36a0d292d151b330a88cbd2774e95

      SHA256

      7493300bee0032972fe7924d3bc6d64825395138d06f990e8f52670d16747f05

      SHA512

      c1141efc68fe57fa4dc6ebacc56b83cbb0123db5c6b07667c514f5fd70b09ed76f66cbb24ac6c9d4bfdf27c99dffc3b55790d3a000cab5f9bf76c8e802c81c90

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cedmc.png
      Filesize

      63KB

      MD5

      7949db287dae97f3b52944e837a90688

      SHA1

      cbb3001c175219ad95761a2b0ac126a4478b5ae4

      SHA256

      b1c37ed84fe19d90a25e9dccc33d710fcb66a162b473943c22f6789b9779b639

      SHA512

      b9518a38f7a26b8c6f75465b8c726006041a3b7ca6ccbcc7315d33455d9ee97f578bf2ec0e0b47cec54726ab4b774bb45c0e5c568658322e516803d06fdfa827

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cedmc.txt
      Filesize

      1KB

      MD5

      1d1017663b59c59185034895e444df65

      SHA1

      8bcd61baecbcf8e6e9745f1b1bb337ef3a1fdf53

      SHA256

      4d34ca2277fa2e45ec75232c105a5138ce449a3581e3c3fa45900447c7bdbd99

      SHA512

      e90c842677d7ce6a91ca7ebafd1a306fd9ea6e66c17971b0a5f174a113eed2a11ad719cf4fe1b4f8aab1f77ab6d2a1c1833d601f513d5591b9136110b98a3efe

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      291476b4140fea72c58e2fd59f005bd9

      SHA1

      191add9ab78c7f4cb25ac2e53bba8255e4aa47a4

      SHA256

      8db47d8c4010126d0c023d265c5854a494b6fcc7096fffd12d65622089b99766

      SHA512

      4a74f5c78c776d63e46c10284319f405199d071df06fd7360dfc08f68b14615785a5a0ecc4c3f1f5d46d9430f9ce1cd0ab5a97dc2ccaccd675579c74f26fac0c

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      da306e9806f74cecf5af1dd2a78477d9

      SHA1

      8d3c5fe616925a17bc14fa73165ebcdfb34c87ab

      SHA256

      f753b9d31aaf1ec40bc7c5222b5127f88e5c9f5a08d18822dc51b0a96643f24d

      SHA512

      669c9e05c0282171199e0b71cc0f9211fd0ee848eb03187e984a977f75c1728428dbf7051e56a918228de32f8157e168ff07981fb3f794537a5a7d58f47e34e3

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      27d9e4e5f89a90ea0cf45170013bc33f

      SHA1

      c735c3b89435bfc1355834c87e09c861088dc153

      SHA256

      d70a3edf088a0d688511d04025aa7d33da9a644f1001a19beb6ab7966094a66e

      SHA512

      3e481c63b92525edfdd86195520a4e9216cf8cb38f7a68525f51f734260f66ea2287a4bf32d8f15046c110af5229a6b312de67a6c272449075e01d9bbafdb9f6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b436e640fe153b92e70311b478ae97c3

      SHA1

      7ad5daa86efa21a1afa60b6e5b62b605f3ee47e9

      SHA256

      1675ef9c6d6a164cd173a942be133bc53a98b7cdea0b38e06e52c3141a2aec4e

      SHA512

      3973d0efb37868da5a7d9ba9ea0540a1361381b112dd2df1e8773531e90e002fb6d72a8c0dbce891256e7ddd04507dab5c578554138dcb47dbbc2e8e06bc26a3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bd0e9748552f3425c16d1010623e1607

      SHA1

      8238d8b707a2da3cf9b6b0562b2396b838224fdf

      SHA256

      77d45006d3b02820438993ca4c027e1feb5f4865a85a1300d20def36f4d15643

      SHA512

      929929d83fabdfe33b35812739a718ec2255fbc2095b92eba95991d92c897dcfb16623d7167c4826c2221e3dfd45bba6d246cd3158ed87a5da6b875223738201

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f9a60fe8c588da77620ac43fe1d61357

      SHA1

      545645852ad4e783a97a9aed5d8cf73410a3f557

      SHA256

      bd5ceb2b84b350995221f8d368e4e9e56b8dd7118355469e338ca2009532bff0

      SHA512

      9af80de8071522a113b0ff138a3e413bf45effb32ddc95a825aab8d351332b9b1a535c198f504367ef47ad7c8d450edb115d0bdf1f13dbdf310d65734b192484

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1e012d9b579be85463c2e7256f04cffe

      SHA1

      44d3a6a9b20e92a0f89eca56c926e71b30779f79

      SHA256

      bd1b9d0faa9aa8e05bdbacbed29e8cd9b3a4d046ece140678471cc9cdccab235

      SHA512

      cff4601d579afcf5c55cd9ee42f718b3f491d40887380fb7071d839c42c576fed7ec13b114e2fd90aff8504ec71283741454f62b53bda2565a0b831d8e69676e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      391899f706c376ba26d66abbc07ace65

      SHA1

      4ae08d99fa4f44e02f6780af4b718b0321abf53b

      SHA256

      61f0828e1f4a44e4d315ea358f2d9038e8cc3ac7558992c8a8b64edd2047e7f8

      SHA512

      bdba0c70859a3ebec804401855fd79facb0eef6e8d784bd6bbf12e8402372fda3f588eb92d8ed2f6bb136a0b6f99f850193c27f373593a4ae54950df3ee66c2d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      597e34d13bbbd11cad8a8d7ec483591d

      SHA1

      1299b3afdc30f58972ac2b3f9c5640d2aae920d8

      SHA256

      41a6a5a919fe233e2c24978da4a320827d38d1177a1fab12f6aff2f915c5250c

      SHA512

      26d9b7c1d7e996e91fbe96faa66c938f87d7c349c741d8d76778e0658980f215e998f409869042273b265846060f57e79f485f36f0c54a0bc02f1682cde312be

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1197ebe01ac9b45e90bb998885a4e054

      SHA1

      699016736ce1040fac6c5bbeead719475d94eba1

      SHA256

      8ae90bd735d6ebaf5550e966267ce4bc8ea67defbf5bba1d9994095b6ba86f3d

      SHA512

      b89c75457bb7420f10d93b9f77ce82f5b8a893637347da22f1fa30384ec4bf0ee27248833ba0909cf107c65ba374699a23f9256f0b80297f8f3805247fdbdc31

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      be02bec07bdd54a939a9899d3e0e1d1f

      SHA1

      d13e1593bd2c029913994c4c6b551857124daa0c

      SHA256

      02aa693931f4677accef702bf92ae6cf09ec969617a8ee04952208bd3a00b96b

      SHA512

      4d2c150b38058136f2577d44ce395d2fb20ef8388332f825dc88ca9bf1ad135c0bf1b66dd4262e42e5e3906a6e0ac81fd436503508683dd9fedd09b4f63ac2b3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a5349aa3f2afc474e9732a61dc6c7200

      SHA1

      fb1483ec2afb85561784ffa231408b5a47c09957

      SHA256

      61c2a8270a1975bd758cd4adb4a96a760fac97c52dcae3f5fc5d7d5404f709da

      SHA512

      498d2346230643cf8659b0bf211bd73f63378f9b849f49c7e7944bc7c8488726d515dafc31ffcc0c2f73732246691fc548e8e329584089e9ecf2af91420d10dc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      544a2258592167a587527a4a561d6587

      SHA1

      65ae14cd4d5f0d8361a5519ced2f8a588455c8e6

      SHA256

      dc7c9c4d16814c8fe15f4d870facf030b6c3bf90d97676c97e66d50eea0b3d07

      SHA512

      4b05c3acb489dcd55f616d5dd16dab7f2fa4f659cdc66e636e9a5a50b22355a1957640825be4a616737e34c4128fd1337bedc4e3f069a5b2801d327a655413b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab7762.tmp
      Filesize

      67KB

      MD5

      2d3dcf90f6c99f47e7593ea250c9e749

      SHA1

      51be82be4a272669983313565b4940d4b1385237

      SHA256

      8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

      SHA512

      9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar7815.tmp
      Filesize

      160KB

      MD5

      7186ad693b8ad9444401bd9bcd2217c2

      SHA1

      5c28ca10a650f6026b0df4737078fa4197f3bac1

      SHA256

      9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

      SHA512

      135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

      Download Submit

    • C:\Windows\tcyogklqnrhx.exe
      Filesize

      388KB

      MD5

      7a4d85a1bef0ca4cecfe376e0ee91090

      SHA1

      0eaab4a4cf009d2d0d2d525bad4742356ca06317

      SHA256

      0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0

      SHA512

      963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280

      Download Submit

    • memory/1592-6057-0x0000000000130000-0x0000000000132000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2116-0-0x00000000002E0000-0x00000000002E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2116-18-0x00000000002E0000-0x00000000002E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2116-1-0x00000000002E0000-0x00000000002E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2348-6082-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-50-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-1272-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-55-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-52-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-2800-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-5997-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-6050-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-51-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-6056-0x0000000003010000-0x0000000003012000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2348-6059-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-6061-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-6085-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2348-56-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-30-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-4-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-6-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-10-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-12-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2696-20-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-19-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-16-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-8-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2696-2-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2728-31-0x0000000000400000-0x000000000052B000-memory.dmp

      Filesize

      1.2MB

      Download