Overview

overview

10

Static

static

3

1a9ab9e924...18.exe

windows7-x64

10

1a9ab9e924...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-10-2024 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe

  • Size

    418KB

  • MD5

    1a9ab9e924a6856d642bbe88064e4236

  • SHA1

    d9d445e9dcb8694398c7acb33f38d7261c95321c

  • SHA256

    69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22

  • SHA512

    f41e93d25fe32248f55dbf5c1c721e4af5d2c28531816955094585a00afa94ea2dab0a6e25191abe8896a2185cdbc535d9dcf3beac14b683d05e1c8c7c6f80b2

  • SSDEEP

    6144:/lhEMsxe34/JTpHIOdX2JOVM8aSC4Zl7rOfT+yIaIWk3HtlE0/Ce+Mx62q2jQ1+d:7ssoJhf8JOqQC4/7CfTk/rsh2jQ1T0jv

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+auixl.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A551FF08BEF486 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A551FF08BEF486 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/A551FF08BEF486 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/A551FF08BEF486 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A551FF08BEF486 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A551FF08BEF486 http://yyre45dbvn2nhbefbmh.begumvelic.at/A551FF08BEF486 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/A551FF08BEF486
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A551FF08BEF486

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A551FF08BEF486

http://yyre45dbvn2nhbefbmh.begumvelic.at/A551FF08BEF486

http://xlowfznrg4wf7dli.ONION/A551FF08BEF486

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (421) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\dkshnpwasoai.exe
        C:\Windows\dkshnpwasoai.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\dkshnpwasoai.exe
          C:\Windows\dkshnpwasoai.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2052
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2756
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1440
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1104
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DKSHNP~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1A9AB9~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2924
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3008
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+auixl.html
    Filesize

    12KB

    MD5

    10475349fdd5ef75c191907561386301

    SHA1

    8ab7db7d6d0af26bd3146cfa95079e04a567e83b

    SHA256

    603b6d3fc113c60a8656d28d761ac1f48e67edc8b98ec98468f6a280d3f65750

    SHA512

    41bd8a4f59de8415210aa4116df2149daeb21ec9507be9be5d23ca8bf5a06802dd0cca2f30b00ddd7395fa1b45a316084fed22a2ccd79177d3baeea340c34411

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+auixl.png
    Filesize

    64KB

    MD5

    cc33fc23c696b8f47fdc8842126db8e4

    SHA1

    0f8b82856c05fbda66a55623f1703e8df93f2433

    SHA256

    0ed1de22ace6b5cab3d227e3c4e1546acadfc9374e63f193b03570e9bda1e351

    SHA512

    f2eaa550f7e7732d5d74a8195b887aedfd80bc958b9f0c41e20b7ee11042a5a7d4ffd8b0ea175fbf22644f48e63687aa7a8a90ac4bbc013972f9441439536cb1

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+auixl.txt
    Filesize

    1KB

    MD5

    93d4585b4c08bca630ce78029d43165a

    SHA1

    c0a9d58a338f5635a6d9ded89d3104274e68a187

    SHA256

    d4a422cae470d0f726d13aaad37e28f62cb2e2e2a5fcf344ebb40869399f3929

    SHA512

    760d892bb88fcf6c8d97322ded5eeee4851edaadc04f9bee8b971a2bdcd25ca8532c98a5c8c209230732cb9b92c3e997c0dcd1573db44dad106f2437928a8022

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    188036fce78062aa147640c9d4e3c494

    SHA1

    a0c28eaaf05f6a4b926c47c8c42a713a0ebd034b

    SHA256

    40f16b91329024b3ea88a0d53c59c198c57ad56925c3a7f17e5f731560b0756d

    SHA512

    bd848177b790c5275aabe83af060cefbcb76f70c6375d0c1d9b37486d75e35e00e2ef50cfda5b8cdec9c6d2fea525667a046e53f0969a65bf56924b2955b601e

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    449f38f095bfeb88e1e32166572292c6

    SHA1

    99990d41b9c09041267c3ca55a43db3825e8e586

    SHA256

    6ff4e05c6ac7caea1f0028a45f34873ed5876ebefb9a89e303b4ab3fbb96e582

    SHA512

    9627a76e841f0c4a4e7e50242a6f83665cd281c966cd9736b0106b6d543a1fa2b71f0163bb1a2e09748d4e1b1bc885ff5e045180dfdea324c5cfb6bef439a4b0

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    dd3287c1b0f69be94651e9cf2456a67f

    SHA1

    89325da0cc0fcd4453c5d9cfb993d5214da087c1

    SHA256

    c0a89ba9147cae3afb15bdb67471f3f035125a80ecc9a2089ecae806d48e4ca4

    SHA512

    e5e2e7f0c3524f21ec02ba75d78a3cde23c2f3ed1c2f8b997efa7af8a2e768620cc7cfeae19bfbfc10303c9d2ae5057ec566293091ad44157ae7f14e47b8e0d8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    534d292b9f47776b5559ad39416986a2

    SHA1

    b37f098bb71f69ff235f07aed04b2054bb4ba9e8

    SHA256

    b1d3036e8a85bd2a375c82ca222b54d082277d4e7e1a1387550f472285a554a4

    SHA512

    20616fa7a176b5570e73b114a00759384c0a786d44f577a54a09406c42cbdc1b1f82dc2a16127c1210f1a6fa1639487f2a42d64e96c490524b784c69d3f54ad9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8d6864a9e82a52eedae81bc71162d129

    SHA1

    a6bc90a3ae760d0d71f87f8d02129b4e5b5c34f8

    SHA256

    66b7f36d2c240010b4d53a7eed4bb84eddb9912fe650aa62908fb268a791a141

    SHA512

    7cc9621faccf7e3a81b7b50575e099f655d41fa876bc16bd094061b8de98f556735febc147a341f7704ae78c6a20830a610c45d9d81c51d902eb5f1720ac8ba7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a0094a0a146dd90455c53f95345e3348

    SHA1

    33489ca8a0b62650c6a611d4318af6e6d6a6e466

    SHA256

    259bd46905efea47f1a3222583587fd1e79edbec84a0fb2d903b6c75123311bd

    SHA512

    cec8d322f1c0ef8269df3a616f3decd390f5dccbabf3c051a9ea8cc4b5780cab963ef7c9d5f1b3605295249030d0e8cd663983943308a8ab7daf042403b6b58b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ee2a7bf8e0050d23ad212d240c51f796

    SHA1

    34e6b40b54e42fa9eecb66f237dc0f2c3e22cdee

    SHA256

    e81bb57b68b4bda2bc97e3239355980258d7af49e7e89c62f47c3a0c3c1a3af8

    SHA512

    a822513580d03ef00c7bdb05d743c4ab584b5064ce3c05b6667a1713c95aec968c7ec3089ff79045876487f31d2247338be7a3ba11546ee5cc8383a3cd852006

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f1970c4cc44b75874793f282a61af275

    SHA1

    3e5dfef6fa4f192288a52727112a45a3f2dd2dc6

    SHA256

    6dd04bc9f40c61eb6b2d9e17a065df2b0874eb0df287d254544300b19db526c0

    SHA512

    a9d51aad9f81cc78c918d059a408630f82af635d49ac79c7b8b1aed20f2d1587af25ea1e752a36ed4bbe0fa3b01b9e35889ad408f90b94f41f0877db672b5b06

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    40ea27c0f9ae190f84b82ab6b8889270

    SHA1

    2abd3fcf352b8010737abd94aa1374153f6358b1

    SHA256

    c90b06cae346c9a9bc39a8d9f4d4d89a0894f99b0c08861bf9840e546d4ba126

    SHA512

    ea39d89240d6f21912bb796f619d3f19a65221852ad93b518b4aee29e108a16d4a543b819279f2a73c79dd6957e14d8adf3489433d08be917b594547e0373745

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    63cf45cf79566c378bc5cfe8fe4eccc9

    SHA1

    a2535e00c58e1cf9e9d17bf76b88bcd126a91aa0

    SHA256

    4c9c571d2b62a671f3ae11bdf39bbe1ebe3fb9d1e5d251ea4611ce795f85b3a6

    SHA512

    fc8cae1e87b20c62c1550b49421b6cd064e3fc1d3f3108eb66092679bbc31588f4c8adc66c57a7d05c47a7d64da3cb2c16bd766d252b5ba45da135ece5a3325c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4fc036af1776ca7f36b181979b52512a

    SHA1

    dc1a9b7d46b3410505df5575d922c042151e3340

    SHA256

    1ad2295af6a5f6fe934966a30e6916adb58acd3e482955228ed1bf87043430bd

    SHA512

    b316d7934da5ac57c56760cf02c0e8e0abadf37554ffa804f698cc5171d36e369e534f185e80298d842632ca3963ceb07301925fb364eadc5af1f3c89c522b3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3278.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar32D9.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\dkshnpwasoai.exe
    Filesize

    418KB

    MD5

    1a9ab9e924a6856d642bbe88064e4236

    SHA1

    d9d445e9dcb8694398c7acb33f38d7261c95321c

    SHA256

    69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22

    SHA512

    f41e93d25fe32248f55dbf5c1c721e4af5d2c28531816955094585a00afa94ea2dab0a6e25191abe8896a2185cdbc535d9dcf3beac14b683d05e1c8c7c6f80b2

    Download Submit

  • memory/1164-6-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1164-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1164-2-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1164-4-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1164-18-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1164-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1164-14-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1164-10-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1164-26-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1164-8-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-6109-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-6118-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-5156-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-6100-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-6106-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2052-52-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-1815-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-6110-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-6115-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-1812-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-1334-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2052-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2372-0-0x0000000000280000-0x0000000000284000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2372-15-0x0000000000280000-0x0000000000284000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2372-1-0x0000000000280000-0x0000000000284000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2672-6107-0x0000000000170000-0x0000000000172000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2748-28-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download