Overview

overview

10

Static

static

3

2b70ed1d47...18.exe

windows7-x64

10

2b70ed1d47...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    2b70ed1d47f2a5d626d16ab5f355c34b

  • SHA1

    cc903de26a6f4dccfb7e216e84c79c0039ea7492

  • SHA256

    055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1

  • SHA512

    696fdbe87bc478cf85717c4952787a1c4ea0302fd8270b5f04167fed9dcc9c81dc967422c8093870a67ff1ec69ae5bd3506573e1ea680930ec0d165117ef70db

  • SSDEEP

    6144:q/VDu6UsyDUOxfDiyQhbw4tRN7eD7Lct/jG2kOREwMunfHAbxwcLNT:6Du6UsibiPbNt370Lcta9OSCnfPuNT

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+uwecq.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D618AEDF63A56382 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D618AEDF63A56382 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/D618AEDF63A56382 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/D618AEDF63A56382 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D618AEDF63A56382 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D618AEDF63A56382 http://yyre45dbvn2nhbefbmh.begumvelic.at/D618AEDF63A56382 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/D618AEDF63A56382
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D618AEDF63A56382

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D618AEDF63A56382

http://yyre45dbvn2nhbefbmh.begumvelic.at/D618AEDF63A56382

http://xlowfznrg4wf7dli.ONION/D618AEDF63A56382

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (434) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\mmuonwocpsux.exe
        C:\Windows\mmuonwocpsux.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\mmuonwocpsux.exe
          C:\Windows\mmuonwocpsux.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1152
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2920
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2232
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3036
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:928
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MMUONW~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1744
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B70ED~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2628
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1932
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+uwecq.html
    Filesize

    12KB

    MD5

    633d2949ef46ba2cc9e4f47124c2fe6b

    SHA1

    0ef498486389862bda21dedf43975862ae647f37

    SHA256

    93998b96afd716471c8fdd21e970cd0c09f2170848998dff425cf7fadb5292ea

    SHA512

    aff8c2e168f45f9c8c7e7386983c135d07ba78aa409f369b217087f3a2c4383005ae81bb4b6e1cb2facded6a9257e5d9317412fa300d3e6729481715bec0e961

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+uwecq.png
    Filesize

    64KB

    MD5

    fc0540674647e492da63a74039cfd215

    SHA1

    83c3bb512411a89efe1faef1e81e718f60bb8978

    SHA256

    66d180e5f1cf745e4c98e69df9750e830465d80ed04198ff704538a6ddcc30e8

    SHA512

    41a2142ab7b4e86a0d12305aac1e89630867750140058e028984865d642f5ab6a821190905a9e14c95ccba2670ebddbd740b416b533c883ef2b9362a77476654

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+uwecq.txt
    Filesize

    1KB

    MD5

    cd1c2a2279e2ac25c8aeede65fa3193c

    SHA1

    a32ca65329db45b37baa73adae79ef606627435c

    SHA256

    d87019516ef4ed8361f39dfa992b26dbf42822c8e400f033cebf6374af430903

    SHA512

    d46e13e96cafc4f5c17211efd49098dc29bb2ce632e42790c5a1168f0d2cbd151d7cbacc43814dcb9b9c90c224b42b244e69ab00fdb285c09aa5a352938e8aef

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    d2cf0dc4bb24b9da0ba5c8a03b279af7

    SHA1

    87bc19e09eed5e00933455bad07f2f44ee292bdb

    SHA256

    7caa8a2d272154c518168904b2158913569ec9679dc23910d8fb170764f8860c

    SHA512

    38cefafa3a7c90fb59c3e2ad352295344d1df725ee7c09563e696390cd083e88adad062e3ce7033ed5777c711b14a99be1f0e72ced4f2ce39b63154fa560361b

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    b8d948b9f78add4693e06719463180fa

    SHA1

    6f773237f32c1d2bb9097be0927e03bc2b87a3ac

    SHA256

    0236f33a4ccf32694ddc9d895d46a125367edaef7c336579fe37dc1ff3a9a2a9

    SHA512

    64d1e541f98bc5b3e653f4bb10fc693fb15b32020f1c430ccffb6adb8ca80b0c8ba08aa8d60846fe7885f2bec55b7662f2476162ba994c81bfe070788f5fdb37

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    035a9df802da9b8250db39ed44665b0a

    SHA1

    fb46979639e88f290f0ab1a241d4a4062f99aeec

    SHA256

    3dde04a77f1f55ecbc085d68c5274b2c314a22b6ba80a287e1cd63c51eaf9543

    SHA512

    eb3f7187687c40e26400fdc79fab0bd7198daa914c7111cd6d0c37d5a160ab4bc83058610a4e4e509cf57661955b546e684f3532b54a373651d256ff30622aa6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2d362a4f9d27a858129dc88050b3ea7f

    SHA1

    adbd8b893036af5020797d0c0d3b3d758d06264a

    SHA256

    16db8c5e8fed6a40f09441a29ffd2fab1e29f15c1aa2f95057a55a5e0336beec

    SHA512

    4bcf54ec11789d39eb1a554b4740b64fd8ada034711399fc7d6d8dcd8db4b46f1c5ba7a484d1af8fa6ec4e9caee0b2af9f8290d2b9a9357908554854364a74ce

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1f76aa59bf6559389ec2d67214403c0f

    SHA1

    bfb4c194d5d5fb73af2f73c90cd55a7457cf1cce

    SHA256

    4a7b23f54c2ee655f39bbffdfbb5c06effcade46de0906645b5ff8da8d034f42

    SHA512

    6959054c29712a602f4d7325c7fa14d71683c9004163a58f60ccd9f816ee5cfb881e12d13ed8a4da7ac7895ed5c812a4c1392a122430191087f8e67e45039840

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f295572b12aad32d0b98be2c333d65e2

    SHA1

    f4e86439d42049f5021ecd82964397b69318c7f7

    SHA256

    5404c1e4eb9f781864d07be54fb7e0a54c84bda006496bb8b942371750c871c6

    SHA512

    e6042d2f8eb992a71a708f4f7a20b9eee4d5828cddecf8e9e1dd26e2d2d722c1d8856e6311a8336a125e5308b51582349fae4db765f1295d76ec46936e07243f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    52cfd8d2b5f035da7aebe0f51fed96de

    SHA1

    5896e1a3545a7f6f8dd2f5d54544050ecd4a0721

    SHA256

    43d4f603dc77ee0ec7063f212a794fbf35826d3737e100e158c00f6b8e4f9df7

    SHA512

    f4d1daeffffff37e6024d7893b49d564cfa552c85006285f95ff8af49b9a347297f6ba5d5ffa38a5fe57f3da4ca245fb13ebda8141f1b46f2488dd53312b05f1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    92c2b13c651d2ea49edae7ab9ce6eec0

    SHA1

    574c0c85903398bcc270140ed9e3f5ff84097181

    SHA256

    6a978569865da320d0c43c22925535cec434c884fb0eb00fab75c305b2a153eb

    SHA512

    5fbdd7454cdf036fb991ddcbb3e3c81b1cef570cdeba27a0a86638eb83c2f2295dafcf2b7b2e380b4d8af40d875f0be0f8c09e43e107f3d8e9507b338c13c498

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ff6c3f7095f2873df438be8f45dbf868

    SHA1

    7e0fdb82d5da77ad1c3687342df4fb3d594f5a54

    SHA256

    2696965c046db128daadcd7a99ba16d7f645a24398a67ff0b9d8aecf44c64506

    SHA512

    de0087024bb0258e8ed87f6b6f3035db28c1f8f31c1ad3e664beec68c3935a86d3f7e1b18977cc606dfa229f727188b1c68403334c469f482c9abdcf5cae705e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9ed455006059be525e4bca5bf0fd1605

    SHA1

    85e4bb85fd693fd8f96b162436028465313c24b5

    SHA256

    7b3ad74272973878734afc1eb86b45a75a898e8fa5e35720df08754923ca102e

    SHA512

    c8da618f50b63f2cc8278c396fa466a43d42c21a9e9937450d84853cc27cc3a317a33cfa5eb43fff621689af6fd0f4a8ff082fdce0d38e65a91f267329022274

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab8D74.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8D86.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\mmuonwocpsux.exe
    Filesize

    368KB

    MD5

    2b70ed1d47f2a5d626d16ab5f355c34b

    SHA1

    cc903de26a6f4dccfb7e216e84c79c0039ea7492

    SHA256

    055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1

    SHA512

    696fdbe87bc478cf85717c4952787a1c4ea0302fd8270b5f04167fed9dcc9c81dc967422c8093870a67ff1ec69ae5bd3506573e1ea680930ec0d165117ef70db

    Download Submit

  • memory/1152-6135-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-6139-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-53-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-49-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-6142-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-762-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-6134-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-1544-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-1541-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-6131-0x00000000032C0000-0x00000000032C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1152-6124-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1152-4460-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1204-6132-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2556-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-29-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2556-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2644-17-0x0000000000220000-0x0000000000225000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2644-0-0x0000000000220000-0x0000000000225000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2644-1-0x0000000000220000-0x0000000000225000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2748-28-0x0000000000400000-0x00000000004E2000-memory.dmp

    Filesize

    904KB

    Download