Overview

overview

10

Static

static

3

125477aecc...ac.exe

windows7-x64

10

125477aecc...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe

  • Size

    1.1MB

  • MD5

    d8bbede0a8ec661f6de3d2491c540464

  • SHA1

    7fd1d15716c6d5bbe2ccfa77ac41b60653d1ab57

  • SHA256

    125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac

  • SHA512

    abbeab3f8645d9610d5a4b79f63aa93d3abfc26bfc9e6ea01f612d0b45c1c9c010f94af492b44b2df1c986ca8f4935a9cc3f5ecada358d3574b9152c1210ab30

  • SSDEEP

    24576:5HOlaHILUR9X/oGhmE5EApGfZAuBQfm+t:Mywk53mE5EA8fZ52++

Score
10/10
phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>7B6C2898-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (509) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe
    "C:\Users\Admin\AppData\Local\Temp\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe
      C:\Users\Admin\AppData\Local\Temp\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Users\Admin\AppData\Local\Temp\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe
        "C:\Users\Admin\AppData\Local\Temp\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Users\Admin\AppData\Local\Temp\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe
          C:\Users\Admin\AppData\Local\Temp\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe
          4⤵
            PID:2404
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:380
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:2280
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:4180
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:2988
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:1980
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set currentprofile state off
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:5052
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:3548
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3244
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3036
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1112
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4808
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3968
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:3668
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3100
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:3372
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:3076
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:820
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:3340
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:1496

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      2
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Windows Credential Manager

      1
      T1555.004

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      3
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[7B6C2898-3483].[[email protected]].8base
        Filesize

        3.6MB

        MD5

        abf21ca24cb4ec31e0efadc9806f6369

        SHA1

        ae72418a8b09742b1ffcaed0243ff8ef30362cb7

        SHA256

        c94c19304df98199c557dd3a9b0fca991f848c1d03b4d2635e0b45bf01a77b8f

        SHA512

        c2194a119f4e4df200e4b83042891ecf0e8d2eaeee11492bc7e2dee31c4708af8079d73088b2029cc601e6d18c6677690b4ff581dfc3e362992cb246f3f34dd3

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\125477aecc33ed5e3e04f0d2154770545b680c19ae1b74bc23de650faede69ac.exe.log
        Filesize

        1016B

        MD5

        4353288293ab8929e492327245a7ccb2

        SHA1

        89b365f2f5e14faaf17715e5764b60d344250d67

        SHA256

        61954fc5184dd88a959f803ee98ca9af53eb0c942dbb00b98ba4f8a46081b587

        SHA512

        48c07ca1b769cf02af6ec938aad8b5a03133e82a451bdff5a03bf4ba47cfd7add0ab28ee6622c22fb54e127472a7cf68dd7d05da15ec439cc18aed2ca76cd08a

        Download Submit
      • C:\info.hta
        Filesize

        5KB

        MD5

        9a75b99a367b8d2b60292deeb7a1a46f

        SHA1

        62109cf3ea45c5d4779d6145b83dd3ed7df9ee8c

        SHA256

        8c8b68c6c1111646226a8ff394ddf7ae69ea4a316069ee7a3e21ad51815caa3a

        SHA512

        c9b0223cbbeeec36b202409ea0dbbbc58f27a71e0a4a5b6780bdb0e56a0d9fe8b930a49a7045ba745ba5b9ece4e16095e4ec3f25ef4620270216474307a1ec89

        Download Submit
      • memory/2320-4-0x0000000005140000-0x000000000518E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/2320-1-0x0000000000570000-0x000000000069C000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2320-5-0x0000000005190000-0x00000000051C6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/2320-6-0x00000000051E0000-0x0000000005214000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2320-7-0x0000000005250000-0x000000000529C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2320-8-0x0000000005890000-0x0000000005E34000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2320-3-0x0000000074B00000-0x00000000752B0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2320-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2320-13-0x0000000074B00000-0x00000000752B0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2320-2-0x0000000004ED0000-0x0000000004F62000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2404-21-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/3960-1953-0x0000000074BA0000-0x0000000075350000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3960-15-0x0000000074BAE000-0x0000000074BAF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3960-17-0x0000000074BA0000-0x0000000075350000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4696-37-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-201-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-131-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-36-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-12-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-199-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-120-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-35-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-34-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-32-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-256-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-33-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-1164-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-1684-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-1722-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-1952-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-14-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-12593-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4696-9-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

        Download