Overview

overview

10

Static

static

3

4e82602405...18.exe

windows7-x64

10

4e82602405...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    4e826024050255ddf739c2656f2d9a77

  • SHA1

    856eca0fb51d6994d9d472dfe5358b4c9b5293d7

  • SHA256

    56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab

  • SHA512

    fb25c55a9710133214b97bbd9492f39df0f2f43ea9e056cf05f6f4943d9f26031e7832d77df5dd2f69f49c97de92b3d9fbb2d3477215d9f405dcf178488ea8ff

  • SSDEEP

    6144:r/VDu6UsyDUOxfDiyQhbw4tRN7eD7Lct/jG2kOREwMunfHAbxwcLNT:hDu6UsibiPbNt370Lcta9OSCnfPuNT

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqqir.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/90E4E054B438F773 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/90E4E054B438F773 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/90E4E054B438F773 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/90E4E054B438F773 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/90E4E054B438F773 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/90E4E054B438F773 http://yyre45dbvn2nhbefbmh.begumvelic.at/90E4E054B438F773 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/90E4E054B438F773
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/90E4E054B438F773

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/90E4E054B438F773

http://yyre45dbvn2nhbefbmh.begumvelic.at/90E4E054B438F773

http://xlowfznrg4wf7dli.ONION/90E4E054B438F773

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (423) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\mgpmnyqjddue.exe
        C:\Windows\mgpmnyqjddue.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\mgpmnyqjddue.exe
          C:\Windows\mgpmnyqjddue.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2412
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1856
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2848
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2008
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1176
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MGPMNY~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:444
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4E8260~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2568
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2508
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqqir.html
    Filesize

    12KB

    MD5

    059a0056cdfb48d37d4c736a15e7dd22

    SHA1

    b0ee41fce61ad1a897ee2244e7a8a7106abf2757

    SHA256

    bb5181091dd125261f434ede8d3d2967a32fa3702dd8d5f476899540448d5667

    SHA512

    f4742a6e5a1ba80edc485f75639904fbfbd1df13b78b06700cab1bcc1f3d74ee9014cc1b9ba40b3a40566a5ca37efda5bafa7e7fcf1d3e769bf903703f97f0ef

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqqir.png
    Filesize

    64KB

    MD5

    13ec6d148d1a31ece17e614b4d88e2a7

    SHA1

    065b3a4911b93a4961082c0f94c6004dcf042e41

    SHA256

    e19a527d2d4b5e68caa4653ed25d8965fc6667edbc430dd948f21023cf42a14a

    SHA512

    a60a2112d842ac2f73be5b23a979debd855a40025a15053e9b605c72dac27007e53e53fc690f3762677772d76269f8d75f676570a0fe10b92e77c0e5df5723b3

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqqir.txt
    Filesize

    1KB

    MD5

    2ba61fed34d423544c2ec8178ab13e19

    SHA1

    a7fa280bfcb9c9f06ff488d3a5a352de99975016

    SHA256

    2b29ffe0753b607f3491777c424eee34cbc878d91381a6f5f2867e6e9c46237e

    SHA512

    b9cbc72efe7b844f1287f1bd1109e6015c432a533039fc5f913382f0202f73a4217037ebc4e02c7921c79947f22020b89ceb19ed971dd45468f9cce6e8a95f81

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    54c2db19ad105fff5380870c2eab1105

    SHA1

    daa94f1fa0c8a776990bafb6cf0e40138f6b2d6f

    SHA256

    6fb41eb58fe002ec8eed261b6a9b0e3011028e25fb0042328aa6dbcbea0fc0a2

    SHA512

    b9aef932b49772152aadce0a3ef5d96a9e703dc75d90c2efd6ed17f56a7ba3e41ea20c4adf2c6f60998727ae217343842ca99fd4c50606cf989a4ae69e2a093c

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    f3e0b2db5dbf5fb048472987a0b8c3cd

    SHA1

    78e64169a5185145c11a2ddd8db37d42c7995555

    SHA256

    c4c53b6900027b4bf80c440bba4bd20297413fb1a6b2f296e159fce1da1724d8

    SHA512

    cafcbb071d50a69a0cedc0b1eb18d421b203ac32913551c48a9b99c256eee7ce9a5f9b740d7f88cc7f0d549408054f4c4f842f574c3c42a512d45302a1950698

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    0ef73673b12ae024593ca18766d2dd9a

    SHA1

    f5dd9ad65d0db2367dca07786b9f9799fc8bbfc9

    SHA256

    3cf03268a22064ed2b1da155993bf33eff48a825a9e2e24749282819171228df

    SHA512

    a1bac28aba3837dc27f750dd972baee8641424012a739067fc4d08774099847d7a2e6bb476dad2720c3440e7f8e97b81a41b0fad4fdcc8a3fa07d93672168195

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f6c1156afcc973f6db1797a543cd5c20

    SHA1

    1592017e13e81f6468c7db1a0852c5558a95f681

    SHA256

    a72d18d79fbac38ce617a5fa4d47a9a0888514125d03e8d2e5ccc98306509124

    SHA512

    d1876dba84c7ab57d0aa7f9330b29773d5299e9dd6bbc037ffab9beed8bb4ca1270bf6ceb27be5b45cdfd886d0f16df45d427d6a8ee0e9e126a0721aaa8af927

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5da4ad0d544a70b76b5e0d660b4eac00

    SHA1

    e8515c5f68946a1f76e37fa0c1f8a62f932c329c

    SHA256

    f0b8e3a18ace7fa6c955fd5370d2d01cd61f2d81f6a7e34ce8844153d3946e28

    SHA512

    8963304e6278eae1789b1092ec635096eb237b0f60ea2835294f1e66f35e754afc348a01afc5f89ab29438c13bd7bd201c5846b86cf011ae5f8d5d6fc4b0570f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    44af596dc787a4af32f11b7d12d16663

    SHA1

    92de6f892393fba3a2b48a5eac31d491fa673823

    SHA256

    e27b9c9bd44837a8bda8c6148e226127a9a6a9ae57e4c2413af652d188127cb4

    SHA512

    30183b935c4739804983d30648605dab9429948ae450ca2a8878cc39f4a8c37578001584aa11b3bdc5c4bc43479ad52f6130ed1aace1c37b81c8eeb1b0f91e97

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    afb20038fdd0fe714e85d36cca73b218

    SHA1

    1f333ff6e98992969240bef655847a61222dcf78

    SHA256

    347ce8ddeb6a0238d13fdfd09f7aafcfb479c0052b2ebd9a4fd47c6e8390cd50

    SHA512

    89201e4db4c2adb320bc2545dcd58a9dfc7ca53445821a8e0cc9e1e7cdcc0587cbff19427bc3ade1b3a89ecb7ce37b798eab16cd72617f09bd27761a011a4418

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    82c2337564875d673e207fc8622d1b52

    SHA1

    fc39af2357b4a6db8e24d6897f0de4afba933876

    SHA256

    296141268ed69047eb36b04a77efb2ba634a143a32170acb0b6eb7ebd69bd240

    SHA512

    f483d6554bc2dbb76f76bc99672ef5be4e7985ecdbc3c1a36478f64a82398fd51133cd84f7a8c6d773ea866c1672c0f9f3d39470c70fcf5d4a5937e506ea3a76

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    697f08ae01dd9e7a0e1556c72c38db35

    SHA1

    6f6d36b0708fd0eced2f627d50a9230b831c04a3

    SHA256

    768454cdf4b0837f36572a5504711875d96fef67095cd9547807fb5e444f1116

    SHA512

    d8e9787fe3e52e687f004bb23c413d0ccda95c28e3e24218a7af461d4a84619615da094368a7b1e00f2b92078911e0f4ad5d0765d8e83b44cac85e5e8637d925

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    df47f5474e2ce91c3de386ce7ca5268f

    SHA1

    6fca88027a8b1baaa3b412f32e6cfba686b1dcbf

    SHA256

    342bf4707fe5ab0c6fd8fb62c904b7b2394b1af3a0a3148e71ac33649d2fa591

    SHA512

    d855156ab4b5fad14b139423c47fcfc65d543b3228f3f0d80da273aac68dc6e20dd2f67aabd4effceb3e50648190c4b4e9aeb1ac009388af2d283dfdfbd92e27

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ad0cd5226433ca05353f8ceda505d14d

    SHA1

    40cad44151d14e2f0babcc8cc904415388e65b39

    SHA256

    9954e46084966835a4805597882826de751cb1a15564f8e800f5fa22c307c3e9

    SHA512

    505dcea0d592037c1698580f33b74558f73e2a75c961efb9c06323d5eb8457e6ae46d04c91ea8b5b735757d1aa504d6571c9b0213b4039e41533aba1c3375c64

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fe85061ef2aaf34b0add87830e2873ff

    SHA1

    7d00574f85983d4f3c5ce446cb2ee5333fa64fee

    SHA256

    27127da75ae3d4aacbf44b5356d0cce7a25779517351d744be4505b42b9017c7

    SHA512

    3a2594eed56c50b46f2733f193b9f241ed6aecbbde4eae2e97fb5d411f2b1560518d4ea3a6574deb4388ce4cd8e7f989069f20c8ced228ef283277f581df42ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab6F98.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar6FE9.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\mgpmnyqjddue.exe
    Filesize

    368KB

    MD5

    4e826024050255ddf739c2656f2d9a77

    SHA1

    856eca0fb51d6994d9d472dfe5358b4c9b5293d7

    SHA256

    56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab

    SHA512

    fb25c55a9710133214b97bbd9492f39df0f2f43ea9e056cf05f6f4943d9f26031e7832d77df5dd2f69f49c97de92b3d9fbb2d3477215d9f405dcf178488ea8ff

    Download Submit

  • memory/912-6095-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2412-6103-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-6098-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-54-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-761-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-1270-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-1597-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-6106-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-6101-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-4698-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-6088-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2412-6094-0x00000000042E0000-0x00000000042E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2544-28-0x0000000000400000-0x00000000004E2000-memory.dmp

    Filesize

    904KB

    Download

  • memory/2560-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-31-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2756-17-0x00000000001B0000-0x00000000001B5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2756-0-0x00000000001B0000-0x00000000001B5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2756-1-0x00000000001B0000-0x00000000001B5000-memory.dmp

    Filesize

    20KB

    Download