Overview

overview

10

Static

static

3

2f6e31ea10...18.exe

windows7-x64

10

2f6e31ea10...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f6e31ea10e7493640f587fbddf1e295_JaffaCakes118.exe

  • Size

    405KB

  • MD5

    2f6e31ea10e7493640f587fbddf1e295

  • SHA1

    093cc6e3b22d18407a4aa073ba2c56e9a93a7f0e

  • SHA256

    10ac5ba8e263f415b53bae91278727eb71ec393b1f685bd6cdd6df48d984df9d

  • SHA512

    a0d78f5947def8a397746fd5d63caf85628acdb252141a848e9e533712f2e1de10e8dc8054180a9065f1e2aeac7dc1be2710afba55166ae4ab90b90ba6994833

  • SSDEEP

    12288:D9RdIMX3LWmMOF1zvk/3t+zS6dGf4HpnK:JIMXz/1zOHf4M

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qirso.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A993342E6F441638 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A993342E6F441638 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A993342E6F441638 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/A993342E6F441638 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A993342E6F441638 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A993342E6F441638 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A993342E6F441638 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A993342E6F441638
URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A993342E6F441638

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A993342E6F441638

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A993342E6F441638

http://xlowfznrg4wf7dli.ONION/A993342E6F441638

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (423) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f6e31ea10e7493640f587fbddf1e295_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2f6e31ea10e7493640f587fbddf1e295_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Users\Admin\AppData\Local\Temp\2f6e31ea10e7493640f587fbddf1e295_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2f6e31ea10e7493640f587fbddf1e295_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\mnyqjdduelgw.exe
        C:\Windows\mnyqjdduelgw.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\mnyqjdduelgw.exe
          C:\Windows\mnyqjdduelgw.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2868
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:668
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:1840
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2276
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2496
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2680
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MNYQJD~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2396
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2F6E31~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1852
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qirso.html
    Filesize

    11KB

    MD5

    129c5db2fead8d87e10c3176630a07be

    SHA1

    5ff13ae28ba714bb954bf01c563e3226828bb7b6

    SHA256

    ac9749e75f5a5918578d80dfa16b50414d4b3eee9ce39b2520f0332c88754bc2

    SHA512

    058570d73245229db7d7223e5b6acf769ff6cba3a934979c75e0fc79989c74fa2037084ba76e151ed30de2e2046e08c2ce7125cce6f3b6d9ad618f0bf4d0d244

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qirso.png
    Filesize

    64KB

    MD5

    2e59643d05ea7fef220d8575b1e6f4e0

    SHA1

    39b2293119e08d3420cf7f4f49063fbc9df98710

    SHA256

    1561a03e54000385f3e13121340fb450e22138daf4a9e3075b5696e6e9bc42fa

    SHA512

    c75a2577b817eeb6402df9df3f9f772b97dbac65a656cf41dc0c5d25eaf11de13bc8856e2a420ecb23b7c00771c5dcb16a4e8c5a349941ea950f0e0dda9434b3

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qirso.txt
    Filesize

    1KB

    MD5

    bce839dd6253f64ff2505651b2c36c5b

    SHA1

    7ee3db19448eeb1c22ad5e8455975018c596448a

    SHA256

    fb5e5b5a4be0ed11bfe6f1d16cadd8085710fa477020e35e5e5f358b0ee7a0f1

    SHA512

    91309822e7569d02d5e46576975ae38c356597796adf606a0b9e27a72c5caced991958bffac7f336db74cd649a4a73092598d31e8591f71219722b43671dc37f

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    addcac6a659e69bf192eae4681edbcd4

    SHA1

    abdb76517c686bf97e8dfcaa4b025116f79eb4d7

    SHA256

    faadb5857067f9ba9dda3c9be5688c912102965471d306dfb9ad39e42eed923b

    SHA512

    2a40bc697084b317f14280de6faabec4765a824e4a5702f0a05b4e3678083a900e9e468fab3a2870bb8d1cc7d0b25bb0d1e8ed69c3bcc9d7eca776c95169cdc8

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    396dd0f6b116099bf70d918db297ef6a

    SHA1

    b6395b4c6612b6116be68b0ba6484b926169f6c3

    SHA256

    cf01bfbc8a6b1ae278db2fd4fe896db0f60a2b2dca7a67070ea0a84b2885e6a4

    SHA512

    173e1503d8bb232c0d57b3aa89b742f6444094d5c5ca61d809e177751420ce82483f2af523ffb480cffff0480c3d6c6477bed84913d8d6629ce7bd1d76a7944c

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    a073e21ce201f0633b542b8d33322c73

    SHA1

    7639cf084ca923a0c6bb3eef4101d97aad6537f8

    SHA256

    d3b3279cbf4eb25ac9e8530652ec462040947c689e8314f27160898ff1fc7162

    SHA512

    004846202680565156bb660c6b48618d95da836cc76f41ee9da708bcd88441401394d5db991058bfe609bb3b85d3a4cd9c81cbb3a4344def322ca7a3e7aa6191

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d6e4fceeded4d6d77a6c2d990a16c60d

    SHA1

    f29f3e13ec6676a9a1767b781bbb84d8c508a5b9

    SHA256

    3dcc1672918783abf85cb75eae8caee093cdb7c11cbc4f38771a950bbab50df1

    SHA512

    a87d11e87ff0f116c902e30b2ab475d3689f840e83a333c72d33ef700a2a09400fd4f443f11fc8a868d6ffb4f5957d01c764a11ecf5f44922d86d11482e1af7f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    54bbde167e4786bd3a8b8d47222c9c81

    SHA1

    204043f658ac7fc4d37146473614020a2f563911

    SHA256

    64183da6bbaedfb168b1689b965d8fc7093c478c4cce732240d85f7f20516b7b

    SHA512

    bdfac48cdf25933bbd0b0d92d20c48715deac61bf5c2e7e282f41b37a335ca2f15ff8d78d4a9832c32fd981f4ac7e191a03046feba773db0bf3107497795e003

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b147d8fcfca1417cb1d530477769b44e

    SHA1

    06192b51df312c2768cd454212882102170e74b9

    SHA256

    bebbe4138aa8560971f5ec5e8a685e3779649c2bf5ec263c4dd2d9c7eafa5dbf

    SHA512

    ae0a963c6e7ef8a30e03898305ea89c67574952219c46123474b3b54a131d1ded70a7847d4dd3f78006ba208295dc02a082d93c2d6c390175ecc064989435e57

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b82d4516ddee4b30d19c988fa1514c62

    SHA1

    7b9f212940a2d130ff65be3540f1ca62b70aec7c

    SHA256

    a09342180418aec85e0db7bdee83bf234e2b7f0aaa475bc96ff7134b2a804e54

    SHA512

    df15311555acb340b84169c736ea9a8819086c49cc215e22334428e594e488d010ebe8571422f3beee40f4c5a090b9030db5968f0c69893909b2e39373958f0b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    92d891913494976e0a19d0ecc10b4626

    SHA1

    8a4f2ba840a9bdbc24d58befb8d47177520678fc

    SHA256

    bda05a1d6fdb2d102da0d4faf26e3caf2ae87c7b96b0297fd62abec37ce308cf

    SHA512

    673d2477c0f574e0a4a8613fd5e4b8144c1563691027708c000038d77533dc145a6f4f75b2d9b2bfcc34ccf5c49221b186f031e9e2bb582e3f9e9c4b837e3fb5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e9a60cbb8629e1698e2bce1ec22c7f92

    SHA1

    e9ac7f4465b7af718b527c8df720ea93870b32a6

    SHA256

    0bd7f2206c6d98cec8a6508e4fc8fddf81020005bb1916f9a702b7562f676c84

    SHA512

    1188ed9b359a35c59452bd75b97bc7b9e94190e646c555fe1fc04f730c473dec1893fc226c1d6e6ef0c3035239413ae507dfbada880884b18c3d9684db9ba10d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    12e0387a75302ffc131bf2f2154a9f9e

    SHA1

    71168555cf9e785dab2eeeff944d847acafe91d3

    SHA256

    0a70bd93eda4d7eea312a82cdb41418483cca9be29e8884ef7b023ad2182c039

    SHA512

    ab0b33f146dacd4370c0da62ea5c6209453caf3ad7913f06c4563a3db77b31022a4f97079a98ccc1a3a94c355062c2bfec3db56d3f9c171ad354251af939b3ee

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    43f7f13a65eddeb33a492709a303d497

    SHA1

    861b24fef9e66444b62ada9c9c685152ee60573a

    SHA256

    42a547c5a8eab8924de53caa534f1f495d4a35c89337043a8b7e048aa4cba6cb

    SHA512

    445cb805d3954189e7ef1d91859194660d5c3e52ddc516d88c96321a10dd9608528106519c974dab8214001515ec3e37342e774b5c9e832742375e58daad0078

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d1d419bdce4a56c07770e4c28b9624ec

    SHA1

    e0f406c1efc5d6c5e20aaa23e1c0c163865651ad

    SHA256

    590119fae6a18c03121004d26c305d0def21d6aac73d23440f6bbd647f92169a

    SHA512

    4bf1436603cec39ef7268dcf54ddb5f1a92b7ac64c87d2e233688a512b6efcda4e8686b4bf83078038b4e39a11b37f81a8d3d154cf23372a0ee537c9cb126e36

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fbd0a3186e5529ad77f2e9e5a51f3576

    SHA1

    836af8fbccdb6edcc15d460ef59bbffb29ce0c7f

    SHA256

    70b6f453750fb8781ebe56ccedb3a16b65cffd3385f420c6f9a81131b01178fe

    SHA512

    c7e252a94726fa974cf29f8cfb9091f1815efb6947f8ad88d512f470e4df1970ddae9debe9609e2bcbf2bd3cd46edc9c4e91594be67dc7163cd1b113e57c1bb0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab757F.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7622.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\mnyqjdduelgw.exe
    Filesize

    405KB

    MD5

    2f6e31ea10e7493640f587fbddf1e295

    SHA1

    093cc6e3b22d18407a4aa073ba2c56e9a93a7f0e

    SHA256

    10ac5ba8e263f415b53bae91278727eb71ec393b1f685bd6cdd6df48d984df9d

    SHA512

    a0d78f5947def8a397746fd5d63caf85628acdb252141a848e9e533712f2e1de10e8dc8054180a9065f1e2aeac7dc1be2710afba55166ae4ab90b90ba6994833

    Download Submit

  • memory/700-6129-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2624-0-0x0000000000240000-0x0000000000243000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2624-15-0x0000000000240000-0x0000000000243000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2624-1-0x0000000000240000-0x0000000000243000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2664-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-6-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2664-8-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2664-10-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2664-27-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2664-14-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2664-18-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2664-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2664-4-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2664-2-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2704-26-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/2868-1458-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-6140-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-6137-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-6132-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-6131-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-6128-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2868-6122-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-6121-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-4353-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-1456-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-49-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2868-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download