Overview

overview

10

Static

static

3

0d3571a8ca...18.exe

windows7-x64

10

0d3571a8ca...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    0d3571a8ca8ef2fede9e3e11b8761582

  • SHA1

    f2b0416e2afe93050816f62646ecae6080a9e559

  • SHA256

    543144026b1a0c1bbfea07c5af4b9e5654c6eb3416f7ac70d676c6c8682bacbb

  • SHA512

    1474d517cf92cd4dcec62bb656ae918f383fd4e146dd951c9613e7cb300870e32606c3607872bb17d84e2de5c13d23bf51bc16e8f2f576acd4bae9fe3e2b661c

  • SSDEEP

    6144:lysifNvmGSKiUuyWvY1ZEYVG3I825tkB9GqlzXwOwNM5s8Fy:8BQUuy6kP5tU1lzXwBqbs

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nxuux.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/ABFC79646CF63FA 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/ABFC79646CF63FA 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/ABFC79646CF63FA If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/ABFC79646CF63FA 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/ABFC79646CF63FA http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/ABFC79646CF63FA http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/ABFC79646CF63FA *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/ABFC79646CF63FA
URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/ABFC79646CF63FA

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/ABFC79646CF63FA

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/ABFC79646CF63FA

http://xlowfznrg4wf7dli.ONION/ABFC79646CF63FA

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (418) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\anifelqhrjvo.exe
        C:\Windows\anifelqhrjvo.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\anifelqhrjvo.exe
          C:\Windows\anifelqhrjvo.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2668
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2912
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2864
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1152
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2448
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1056
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ANIFEL~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\0D3571~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:3044
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:580
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nxuux.html
    Filesize

    11KB

    MD5

    246608bbe081e7298e6bd0c5e38bd724

    SHA1

    9c910832dec5a512f52054165705927c92f2f312

    SHA256

    bb58cc5e39b7df266307952dcee31f8fb4aa49df447fe5fb1d186ae6c2ab63ff

    SHA512

    eed14199a9890312c0b47e6dda9547aee26ccab4974361cc6f57238bca53238ed5f831a3f22c7fd3efc99ad137720a3844753f3822c45e5a04eb53ab405d486d

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nxuux.png
    Filesize

    64KB

    MD5

    4ddd024672b47ba7a786c25cf1f910e4

    SHA1

    5033dc842b614a5c30f1fa0576dc8dd39603c9df

    SHA256

    50841cca734502d02f34ce5b55626bd62ec7b97d128e580c33ecfd445f591ef0

    SHA512

    840d85205e5a843f4369ab330eab9ab7f709bd4e5ab129e2791d5cdfc95f09161311bb3b4b4d0535369e1cb9f0538b44214601cb22051f3114ec75e1555bdacd

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nxuux.txt
    Filesize

    1KB

    MD5

    393ba608e4c427079cd079d7da67c314

    SHA1

    c410549380620a4d5514dad617662de6ca277045

    SHA256

    c0b9c75f07c90a96a4f66228d2f1f0403e32a3c658264c9aef3b76467b5e34ea

    SHA512

    3c882d1ed5cada943b425a8e7d133a9160f0a08dedaef42fb73ef1ec65bea508d2e475f5c96586a490dec6ad5e02688a2b7a9c3d3845b8c31f52cf19524fb01a

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    fceef23f82218af6b3853f33b4a8f5e7

    SHA1

    f5105fb983048128f244640a7e206e8872345de8

    SHA256

    097f29c02f5d7b913e3e8a9d86e55ae1e5ef10a1d95894f82b4850f85b453e6e

    SHA512

    e68dbde4d64454325ebbb1b25f88139c16cb9ab9e47157853ba3557005fb20f1b0986d1b00cf897eea9698b385dd266b40e9034ab9ca27ddbd3095af77aa6fbf

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    addfb8dc63cbc308688cb5555697f286

    SHA1

    78554221ced224a2edfb5b9f2e1f3998899779da

    SHA256

    916a29afb246e365ec4a211e364063802029889c1bb2621dc55de225333e1dd7

    SHA512

    018c2457a8d7dca771854f26c6d5f4544a17954d882468b0f8e38c2b74695d39634bb9ed45f594ed83cd781f9427a04aa8b69b2bf6d31141e557970354e5a1e2

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    c1d18f1331ca476105e90c817f7fa10e

    SHA1

    609eb048dfee46b36563ba5d75bb53d90474b7b2

    SHA256

    6fbf104583f746075a3ce7b02c8bb46b8453fc028e5b66f7b205e86960552de0

    SHA512

    53d05b1e298877fdfe27133cdcb1b9ba0bbfc5ddb9db2a5adc5d70cbbde2e304731dcd196bf76448a831ca533e5b9dce8d0f88d2bfc0ba242afcfff2eba841c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e33b9673ecb6f520c401be7bbf466aa4

    SHA1

    ebc57273e5ca44a903846637323185940605bd3a

    SHA256

    c7c924146706b40a3af5f0c448a4acad09a583527a501c121152df7a417db7d8

    SHA512

    7ac6f3c3211088442a186ea910e0f19fd28e7768711ebf696fb1a0634acbb558d5f527fdc091f96acbd071a55bb44651380a31052d30b17e54b9cedec21bbd36

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2b816e55f59645c0d579865469206a62

    SHA1

    dc18f3dcd849a0598dba87df037eeeb8f4b10eac

    SHA256

    501ecd67a6dad1e3f2a659f9d37576e150022772d7481c40d8e3a45987927fce

    SHA512

    71b9e7d643bcb8423dd47279fe500c5a95432dcdd1552fe0f12752b31ba904bb9aad991f37adab07ec2b5f411c258c21fa7654cc3040a70c18b1777770fd78b6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a6dce6a471344c1408eb27ad77d1ad78

    SHA1

    c34b638bc93972042763fc02bae9229632c35e1b

    SHA256

    4d2143581406bf2edb8852c5a0753a23af38539959091fb121a515c875d59124

    SHA512

    24f0137285af6258353f4d54fef09784df208666ecb29bf4ae4d768c5058ae73a7dc005b1f1cd2b4432af69d4800a636fcaf5e7a4f51e0311a381f783c92c486

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e1d5a5c2ce2f38e3abda3ffbc22578f6

    SHA1

    d614d1102ef1a29d518f7bd5f75ed2b6a66b6c22

    SHA256

    c718d53bcfe73aef6834b74f095fb1a1c7865095454de2fcbf25ea6cc4b7c3cc

    SHA512

    0c5a4295f47b5201b5fe6b310151b35b7fb508fb8b6f743b7253ddfba0def4fd157ca428aab2dcdb3e72a5ea93111f23989af414c1cc4f6f73931440a28a21a4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    01be5c9d1a4eca9e3564369f7abb6be1

    SHA1

    d7ef1eef6783740d5a6763268f75e46dd72bdfa7

    SHA256

    930ee14f524768925e295769c1b5350d03991a9c8614f36cd1632f29d79acb11

    SHA512

    7b2da8563be8d718c3b513065e5b0793350e7049790edf5e4cd851a7bcf44f5982f009720889cb58b28b579527041c3d01593e6c353883115abcc73e64b3dff7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    67e5dd3c4d887e21f88a67f4cb5eab0c

    SHA1

    ba7a4456fd40d4ce55ca566a3f2f4ca0dc37585e

    SHA256

    37f911731b58a170cd93cb37bf084ecb31632652f1620154fe10052420c488f6

    SHA512

    40cad72761524e75ba122a4db5da9ae6854d6afe6f6c2f98165a14eb2b2cde6f7360e2df0759219361b5dab474c8f9d6dc8669aab9828d164443c454c78a6720

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b36a9e3c684fcaf95accec2f41a0d082

    SHA1

    5255ad413a662bc18da77a32dcd6e4f059826771

    SHA256

    65ee273013f2ebbc803936ce7987beeb65a15222c694ddfc9e3fab6f518044eb

    SHA512

    f7ba950faede33d3ed4ff9d4504d79a32dbae82f256926cee5cbd824eb94d2a7568cc16898eb25637d77be6cc28884460aca69bdff4bd47a071e753103687fab

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8adcf5ac35bd51e74d4c34426f5db11f

    SHA1

    4c35085fc93cb5e9c01ab59e70fb639f8bf4bca1

    SHA256

    0156a17a2881256fb13b6960344d1c9ab1647d0b5fc645a44e644472a8cfed1e

    SHA512

    110ca946ef2b5282d0303426a87998d29f2cb378c4d11b09cf51cb75d6f759b97ca971c7b365d1727b939d03a0ca98b2dc045f6763dcdc8c2da906b1d275fc6e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4667791fc8a92b27f166c11bceb3dbba

    SHA1

    719fa395784232be1ac364c6f87659141d181358

    SHA256

    e90ceaf2ed253488806486fae5d4930662ef3d502ab1a06b3d82e0f10865edcf

    SHA512

    00b314f63ad7a1fa0bf59eaf566f5293b63647c36b17fe58fdedd6d6e6e4a3665d1bfedab0facf2862c33a68061a06c18a08e1fe9917f08b0126ff36d36eff9d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF902.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF9A1.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\anifelqhrjvo.exe
    Filesize

    368KB

    MD5

    0d3571a8ca8ef2fede9e3e11b8761582

    SHA1

    f2b0416e2afe93050816f62646ecae6080a9e559

    SHA256

    543144026b1a0c1bbfea07c5af4b9e5654c6eb3416f7ac70d676c6c8682bacbb

    SHA512

    1474d517cf92cd4dcec62bb656ae918f383fd4e146dd951c9613e7cb300870e32606c3607872bb17d84e2de5c13d23bf51bc16e8f2f576acd4bae9fe3e2b661c

    Download Submit

  • memory/1804-6095-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2592-29-0x0000000000400000-0x0000000000841000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2668-6120-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-48-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-1472-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-1475-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6558-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-4539-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6088-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6094-0x0000000004020000-0x0000000004022000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2668-6563-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6119-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-53-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2720-0-0x00000000001B0000-0x00000000001B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2720-16-0x00000000001B0000-0x00000000001B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2720-1-0x00000000001B0000-0x00000000001B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2840-6-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2840-8-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2840-10-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2840-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-18-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2840-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2840-14-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2840-2-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2840-4-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2840-28-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download