Overview

overview

10

Static

static

3

40550e4313...18.exe

windows7-x64

10

40550e4313...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2024 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40550e4313decb096d6300d7bc0e006f_JaffaCakes118.exe

  • Size

    332KB

  • MD5

    40550e4313decb096d6300d7bc0e006f

  • SHA1

    2d7154c146ba334d7f6862df6df9cebd89863ff2

  • SHA256

    0e73a69cb50ed4cc7e45c5b5913b7ed3b0b2ecb5ac946e0be78f026622bde396

  • SHA512

    1a3a903d4949a19acb2ca9adb09ce83432f5c28d017655a4a9f30bce111f293c78a38c920e81272f26577999d3dc099d8bcbfc78fd0c0ee6cd80c6bb0913ce2e

  • SSDEEP

    6144:7cMG0Cmis0NH8A3/1uz7uodnIm5KJHLqreJDckzrYk/:AMZas0NcAvAzyQnR5KJHWreJRrY

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+bpipv.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A78569E4E471893 2. http://tes543berda73i48fsdfsd.keratadze.at/A78569E4E471893 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A78569E4E471893 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/A78569E4E471893 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A78569E4E471893 http://tes543berda73i48fsdfsd.keratadze.at/A78569E4E471893 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A78569E4E471893 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A78569E4E471893
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A78569E4E471893

http://tes543berda73i48fsdfsd.keratadze.at/A78569E4E471893

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A78569E4E471893

http://xlowfznrg4wf7dli.ONION/A78569E4E471893

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (421) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\40550e4313decb096d6300d7bc0e006f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40550e4313decb096d6300d7bc0e006f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\40550e4313decb096d6300d7bc0e006f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\40550e4313decb096d6300d7bc0e006f_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\myxtcywmrnml.exe
        C:\Windows\myxtcywmrnml.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\myxtcywmrnml.exe
          C:\Windows\myxtcywmrnml.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2756
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1932
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:220
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:200
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:200 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:716
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:988
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MYXTCY~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\40550E~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2768
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1588
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+bpipv.html
    Filesize

    11KB

    MD5

    5ae636feeceff87ea550070f34f05dc5

    SHA1

    84fc2fb1a51fd5659c2437ba7e109eefd55dd647

    SHA256

    97075384a09d4c0e788743691a37ebff170e01f2db687ef405f54d2cd6e4c74e

    SHA512

    630d8333e718362381a2b8ce7137e9475f828b00c27c68fbee082ceeedc1f047e86bd5803ea938c277c067daf3685108462096b285a07c256cec71668b086746

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+bpipv.png
    Filesize

    62KB

    MD5

    12843e102de858c2a6ae84472a5d29e4

    SHA1

    fd80f267150fa5165e00a488d18212b55f2f3384

    SHA256

    7256a97aef0fbe95ce61e77dc8a4f040511338a5e923ecc083b98992ca84e9f9

    SHA512

    eacc407bafa9e2a5d8e6b50923d9e902333859bce798b623efc6116e334c17dc21d67a6f751f3c7d744887db01f5047b977fe48a5fe1d6afc6ff402a7c6554ec

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+bpipv.txt
    Filesize

    1KB

    MD5

    f64a6480ecd113b72cda37b9fde60bed

    SHA1

    d19a9a7131dddfc0368d4ca49f7a8183f0c57984

    SHA256

    0cc9bb42df58430e4641cf7fd778194bf236d2bf98ffe18cfff67a65db4ce50f

    SHA512

    cb712e15db22f90ad9f917e0a45473d8cd2c9379b15899bf5006fde2d622c28117226c8a1a96b35f5be0f7c6f7c1f6d8cac438673b3f6010f5b78af64907cf43

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    b8976403a8dcbb626f04a78885d253ae

    SHA1

    07cf109592f71e1e0e01a23932eab53bf2939392

    SHA256

    2e212f8ee1c1e080102573c8ab7a178dc31648b116c91235edbc0b8507e30435

    SHA512

    35e344b4cc12464beeadf7747be73bae33ce95702978c923609f40b95794ac6379d1d3ec557c9767764a07e308b2837aa8a01ebe4b9575c1e1693305c289bb03

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    1485a5353be859613135308ce945fcda

    SHA1

    aee401864a5bafe435d661bee82646e93b52fa01

    SHA256

    89e6dc6c576b9aebd11e93761cfa43d8f719ff06f62adcb864fc8a17f5790009

    SHA512

    d98b39326d215f95e62176fa8fc8aa34d2a7b840aac0fd253147e1f88f12364eba8d8de2eb1a098d1b8f9d716f31235d86b802a3efc9f0495cebc0890add5559

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    8af727c484337f6368e5229eea548aac

    SHA1

    8c294f8d809f6b0fd6b4c958fec0f63c5351829d

    SHA256

    2d0f03dacc46a8439c27ecdedc2959275a5ae06bc46ad44f425bcf0db5216820

    SHA512

    28ba03c165501cf0387b3385cf46431cb89da4bf1c41c5fdadedd00e5fc5c127fb4ed8b03c9c10395c1682caca8b523390d082a750bde7c841ea9f48224491eb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0e963549bcd7538d05ef53a228543a30

    SHA1

    640d01dfe49b76036c87f158d42ec620004805bf

    SHA256

    45a6bff5a090bd74866b4375a1bff897a3edd1024bc14f00a89b5d88e38a26b5

    SHA512

    d82542594956c30a45b3084a0660a242640340bf33d8ebe1f5f1b794ce69b60d8aecb7041cc6d3e4400262e911008b437b6fa7d2de21e4caeb946b7cd7550206

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    62c5ab54708885c193e3d0b00efed06c

    SHA1

    376c50e98f7b59e6865eb1cf1649ac3d2d068af6

    SHA256

    6e7cbf7473f337afeb6e3f34da65bea9161eef025302f34dc84b0dc231b5a812

    SHA512

    ac15940da9147736bc904feeb94d743863c0984ad59bfda0b3fbb81b601b1af87b141941b6ed5b91762ed59a12ace08bfbc20b1d3fe69a69519c644ebd4c3d6a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    aa9ddf42b82157a1215aab11aeba0b51

    SHA1

    0eee60c5037e0e063452ed5071c99bb568379c1a

    SHA256

    e5454fa4d93f170e8a76b87a156db539f89df972ab4c5f2310741f8749ce2e06

    SHA512

    f9901acaaa42f3c81a1a03342ba606edb0d39452eda4a526218e917fad79aef1104d92a10084e8a749d3db75b79aac7be7e0c9045fe0eebb913e7fe1c6897dd0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    db5a7a9470a95e866e779870850eea10

    SHA1

    ffc3ef70b18720b52e972d85b7518eee72324b57

    SHA256

    2154efe11cc299c94fbd4d5649d314885c78c14e5c90b30fbc99e0a1c8079fe9

    SHA512

    7c38d73b69caa6048e33e15bbf15eb56ad4e20f899a4488d0b0ddb993d122fc2af580e77226f179fc13bb48290fa9f2a948da0423d3717eba69ff81f4c61d8ec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    43873fe7e32a6bd6163415a56d292d37

    SHA1

    6dcb9722f94a0d77284482076eca15354e7c6cb7

    SHA256

    d308a8122f502eb58f95684fe799bfd1024072cd106acdb2bd0a88e68c07cb17

    SHA512

    2b3db12a03a85907753189e3680461342fee79aa26a880285244bdd083d3641eb23b6cc337a8f7e3d52fe8739ce739b1d62441facbd5ed7015bd4de8bcd47efe

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e88bf3386ed8138dacf4e55960e87f9d

    SHA1

    8594c6d15f421fa570d260ac890a0fce4300a306

    SHA256

    5353f107979a6f5db941b18a8e5a918535431bbf5fa0e25c0647b428ba4f4201

    SHA512

    d748cbfed392899e85b945e153286a9ad53f8b171e745c8fdef65acdc9c35650be45b7a45820156c9e03b87038dbd3dc518c4c9bc344b23f4f177c83a27a900d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    da578a0e07c0cf620e6c0042fddf2db1

    SHA1

    2948c00b9bbb6a7cbee19ce2bbda68f50a192ca9

    SHA256

    6682988be2b9112de57d8c1a8ab5f6bad0a0cfd005452e858d68ece4a8cf6123

    SHA512

    c7c95a85f1dc259bef442c10fffd0c7065189fc3f440fa99a9552ca9a1b4681ee825baedb4312070a68f89f8924b01dd0974089e1eca8ee62d4f8f53ba25602d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e7ddeb8797d8195c461c6a25928f9532

    SHA1

    33361224c47c93f1f05893dc6dad0893772c1eea

    SHA256

    c66c0a66c22f4249b1674c972bab00992e475b74a51491c5841538cfc69c0a26

    SHA512

    883fa8b920e4aa31cbf283bf56a56174b35028c8a0e0f842694fab7f416854a33899134607eff5e5cad038c4666ba99f53daea24d915aab04455031a5eca4c3e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d468dca6a242ef432dd724b0c767d734

    SHA1

    90c1995461cdf2dc025da273149cd01b273d2326

    SHA256

    a3f4acbe8c6e6fdba89a0a6f69142a64dea95bc10f91bbb7b78c761dbd355400

    SHA512

    301ae0955a12fb0b0ad5068fb0457ce441e729a35133c5547f628826d3ad611e9e493d60b80aac8800a823aeb05600a7f6b162864e7640a597a9f12821acaacb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3259.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar32F8.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\myxtcywmrnml.exe
    Filesize

    332KB

    MD5

    40550e4313decb096d6300d7bc0e006f

    SHA1

    2d7154c146ba334d7f6862df6df9cebd89863ff2

    SHA256

    0e73a69cb50ed4cc7e45c5b5913b7ed3b0b2ecb5ac946e0be78f026622bde396

    SHA512

    1a3a903d4949a19acb2ca9adb09ce83432f5c28d017655a4a9f30bce111f293c78a38c920e81272f26577999d3dc099d8bcbfc78fd0c0ee6cd80c6bb0913ce2e

    Download Submit

  • memory/2100-0-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2100-16-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2756-6104-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-6545-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-6106-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-6548-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-2137-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-2139-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-5323-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-6092-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-6098-0x00000000042E0000-0x00000000042E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2756-49-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-6105-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-44-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2756-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2884-27-0x0000000000400000-0x000000000063F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2972-15-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2972-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2972-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2972-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2972-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2972-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2972-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2972-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2972-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2972-25-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3004-6099-0x00000000000B0000-0x00000000000B2000-memory.dmp

    Filesize

    8KB

    Download