Overview

overview

10

Static

static

3

15667babdc...18.exe

windows7-x64

10

15667babdc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe

  • Size

    396KB

  • MD5

    15667babdcdd88ee08174a39c86b00ad

  • SHA1

    19ed09bbe8711e7e0b9a6b7664538559a86d312d

  • SHA256

    5061395e96ddf44be20b37f12ab25da2ee84f9c8ec2dd0b5db4f11cfdb14b2a0

  • SHA512

    e9688e3c981eb1ff0f822dfc2c1a75c570d518b28c8b324b54f4e4fe626cd78ab39171a9f0a61f54eb1e602d941f7faa456aec169bd2379854e7fa411a6fec4a

  • SSDEEP

    12288:LVaauWatLv/kjWaesK3YSYJmlzFZ3IHmMr:L03DkjtLS5hVq

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+swxgv.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/90B04BC44BC1C65 2. http://kkd47eh4hdjshb5t.angortra.at/90B04BC44BC1C65 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/90B04BC44BC1C65 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/90B04BC44BC1C65 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/90B04BC44BC1C65 http://kkd47eh4hdjshb5t.angortra.at/90B04BC44BC1C65 http://ytrest84y5i456hghadefdsd.pontogrot.com/90B04BC44BC1C65 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/90B04BC44BC1C65
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/90B04BC44BC1C65

http://kkd47eh4hdjshb5t.angortra.at/90B04BC44BC1C65

http://ytrest84y5i456hghadefdsd.pontogrot.com/90B04BC44BC1C65

http://xlowfznrg4wf7dli.ONION/90B04BC44BC1C65

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (425) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\jhiblutcvhwr.exe
        C:\Windows\jhiblutcvhwr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\jhiblutcvhwr.exe
          C:\Windows\jhiblutcvhwr.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2432
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2688
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2888
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2584
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2456
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JHIBLU~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\15667B~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2596
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+swxgv.html
    Filesize

    9KB

    MD5

    922bdf050b04212219d8dcb08a5aefe6

    SHA1

    29fabc41dba5b20bf2843f2d67f3d300e670e84c

    SHA256

    27da6af09fc9551fbeb800eb852b0c54c4be1d64ccfd1188f209a8b2d646057e

    SHA512

    568ed7fcd76b3961b3f844314f384724fb6c5c280d890f45810cef627227cbe0143bfa7621f2f5002a6193bc97ee84e38710affc7debe028399b7f82d261ebfa

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+swxgv.png
    Filesize

    62KB

    MD5

    7c1ab7305e59e117d518e2634b2e1039

    SHA1

    9eecbea98dbe54f726b45c920cd52516555fd884

    SHA256

    7719995386d988dfad9d8adbb1c6658896c6ec19432c453bc182408e97244ab6

    SHA512

    bb2a82a4e96cf0869bac30cf78b29cc89337a026356de17975605d62d1e7d4d7b0ddc8fd06a764b189b8bc83fa0a7943148288018a5e9ac6d57f729cc706a594

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+swxgv.txt
    Filesize

    1KB

    MD5

    4030e1959302c26dc26b47e90b146cdb

    SHA1

    00565ecbe4668cfdc31e8fc309a6ee0acafd79b1

    SHA256

    2af83a04467c70b176775b7dd3cb6997fb9ee67f26de4da5a19fdcb8d5512de7

    SHA512

    c29fe1470da995d62ed223d523e171b48358cb6f5189e722ab048fd36d3600baf2346490b619aad118d13a77e2cdb4475c6d665929dd5d2d9bce0c8d2aee53f7

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    b539bb2fb20530553bfcf0cfadd45d63

    SHA1

    64450096370ba19fd4cd15150ee5bc6ed2264c1e

    SHA256

    40c8da1871dbbe9a707cc123aa85a5209e14e82c713b2b40b0b8f4b2c678bc32

    SHA512

    ab9bb042bf755f8d886925a438f62949d369df684100e74dece632fa9b030abdcdd4755aaf5a68284c36b83f8c6eeefe24f86ae3a05b3e7f273d746a20ccf627

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    c83f4daac5362b549d682a30ffa5ac6e

    SHA1

    013366cdef57ed1f9e61fb48d9369309e785c523

    SHA256

    8d481132ab481d68158c6052be9fade49238e74b7f7b0e9b8a3d62747af68c18

    SHA512

    738e3f9be1fa199a43fcb6a09b4a53a6cb7e7bff34acef2812dbf55104338e839cb9b474fb4b6b14045a789356053903a1b50077c053fc685aa76c11c4cfbf44

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    5076cb9bf29d5e03c3b3f65dcd610505

    SHA1

    b265852dbb47d233d640ee6b9430ea72755f6a9a

    SHA256

    44ddf6170fe44bfa07b64bbdf3b930784d647e6c1789fd3b85234b69fe25f835

    SHA512

    0e9776f137c13724eb7deb61041d63b4ce61e4d0c452579680f5b4b814794c11022fd4d12a266bb7a2102f573ed9b5bc8e74717abef2c9fe2c815f781f63a66e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c9c62a1a284b51084bf32938f11caf5c

    SHA1

    89a9fe701f4a2a124c231c517d98064e8d53c22a

    SHA256

    0c16431afc620f120aa5f6d3a7a454505a1b03ae317530fbc9b4e3d2ad83c082

    SHA512

    c2a70c982dba038950a55c71cae1fbc065f13a3b823e1db415abbaa8b4fc45a3f6bc1f6946c6926b1fedfc215504d7216496c6ab1bd4401927ab2233a2f7a8f5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7ee75a40cfe96a2ef8d833f923e02f68

    SHA1

    43663fa4fd040257985e4093e739fa98738c02b9

    SHA256

    721355bf14a8d3e325d8f467a5ca57d5d8ce1c2a20dced34af908763773dc653

    SHA512

    d8c38bce0647a30bf07551b701e90d76d7bd9d05f40ffaec46eed207300e4fe5539bc7e78cda7828dc5dae7120b12c5709ca41057398d31c2e059751aa035786

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    825f03a4898ed347135b43f68e8d0a5a

    SHA1

    a5e405cfaf4eb812005d47f041a3a572911f2b7e

    SHA256

    3e45f4c759ed6ba3874a9ba74b2112c6c95f706d353178b4652857994eecc105

    SHA512

    f9a220697abd679e426197983be481cb550bbd0d97458042ac05e87848a03b706f3328d932369a9aaa8af02c66a3723fd109dd0b7f20d1e1dbc9bee20fd0b726

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6e25e24f5f3cc8a50dadd7ccc619612e

    SHA1

    edd9abe730a3e0ff33ffc9a2116c934027c4d32b

    SHA256

    0897d0daaf3eae747c567f556f952696bd2d88bea6ec6771ad5a89305ff0c7b1

    SHA512

    5d92c6406757877d1d51768392babfc487414ae9c67e2ee69b8664dacf6eb2bc1be5aa51cf898b0f136eb87219be0d9831964277818729030a6d77629dfcbd89

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ec7116043bea2c24858a2fbfd6b70c05

    SHA1

    7698bf5929625afc5656c3f95cc44c6a8a0c6af4

    SHA256

    a2aed0c83f32fbe4698f8c7fa2f7b18530e33c45b78276a0f714895f587e657c

    SHA512

    5883e71b6e9e3da4b4f027aa82242fa2aa95a441c087a63ff0c826e072006f97df2778cf0c901bd25dedef948445117c504df45b932c97eb1d8b3cfc7eeb59cd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fae168cc6cc3f6cac291ab715f3ec442

    SHA1

    71c37616196a3f7eff9cc8d3fba8e87a8a5b39cc

    SHA256

    3a562a2eabbacad9816555711596b1d929cd0420a6412ebe167b4e4a775a9ed4

    SHA512

    87977458021c63ea0c6b0cfeaf7cc537af61e76b6fc611eea09e04ba6ad659bb27bba9895eab97478d63a4fb14e13b988df85c96e326cfab5fd42442380f4418

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a143c16b5be45992309e8386bc6ff5f3

    SHA1

    bc2939c852262def4e123d03c1c2aa55b2c3cf6e

    SHA256

    e6211effdaf64e45333c69ab284a2dc974e02f7524a43e5a44c354b16a1db646

    SHA512

    b20862773c78d05395c0d3af120acd61afafe24071e70c0a1d34b53e1244b656fe9f724a7fe9f84e92bad9817b33fdfbf91fb1f448b5dfadd330b4f5c74e7d31

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e63b832417e600c85aafe699eeee9ac4

    SHA1

    f501456b13c56d4bb555b3da8d3a1c24523476c7

    SHA256

    654a66d7d58a9cd9b771c44af100e97fd1811f5b7fbd3d408110c3b9dc044518

    SHA512

    d636f9df8466657efb714003b6db8461474ebf01d6fb3d3c2ada7b005f3f6c68eccf4ea9ae9b31fbb2fd1bded81a170058f69283ab4556d15c7596ea26248045

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5789b71524b67416d117cbefec382166

    SHA1

    da121f2cd8e91d28537dbbc313cefc50c4c61124

    SHA256

    ed87d5351d4575f6ffdff51db69037c57994121e5d553e8b320e5d7b620b4a5f

    SHA512

    cbca722277c2db6935aba0c3367334458ae3b7f21be41ed127c991524adab139178a5fca1d6edd86ad191fbc58777165d1a8ef5005cd69e033730bf79892d682

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab16FB.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar179E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\jhiblutcvhwr.exe
    Filesize

    396KB

    MD5

    15667babdcdd88ee08174a39c86b00ad

    SHA1

    19ed09bbe8711e7e0b9a6b7664538559a86d312d

    SHA256

    5061395e96ddf44be20b37f12ab25da2ee84f9c8ec2dd0b5db4f11cfdb14b2a0

    SHA512

    e9688e3c981eb1ff0f822dfc2c1a75c570d518b28c8b324b54f4e4fe626cd78ab39171a9f0a61f54eb1e602d941f7faa456aec169bd2379854e7fa411a6fec4a

    Download Submit

  • memory/1984-19-0x0000000000390000-0x0000000000393000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1984-1-0x0000000000390000-0x0000000000393000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1984-0-0x0000000000390000-0x0000000000393000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2136-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2136-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-18-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-30-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2136-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-6112-0x0000000004460000-0x0000000004462000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2432-6106-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-5088-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-2100-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-2096-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-6564-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-6448-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-6449-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-6561-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2432-6558-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2644-6113-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2856-31-0x0000000000400000-0x00000000006F4000-memory.dmp

    Filesize

    3.0MB

    Download