Overview

overview

10

Static

static

3

6a1dd1d327...18.exe

windows7-x64

10

6a1dd1d327...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe

  • Size

    608KB

  • MD5

    6a1dd1d327f60aee8509df877c8dc38c

  • SHA1

    a2246029749e47a2532b016f80f5132f431e712f

  • SHA256

    3e7affe327ebbf84f56bccd753c86122e0a1f0e8bf941547bfbcec775ab3ab94

  • SHA512

    c29b9159c1bcb40db1a29cb3d91fc46e5b633db5e09ef52e8996a1d0e9900c153e6b68a7da680747215dbf0b03d34a1259fd17b90da01ff7c45cf1c4abedeaf3

  • SSDEEP

    12288:Ax5WAOBdN/sM6Bn6fKzh1N4mZSZjCQm+OHAp3T2FWdP8CQm+OHAp3T2F99V:OsAOBL/sM6Bn6fKzh1N4mZSbF3HdPmFe

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+dhkdm.TXT

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/839158AD8C517484 2. http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/839158AD8C517484 3. http://nn54djhfnrnm4dnjnerfsd.replylaten.at/839158AD8C517484 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/839158AD8C517484 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/839158AD8C517484 http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/839158AD8C517484 http://nn54djhfnrnm4dnjnerfsd.replylaten.at/839158AD8C517484 !!! Your personal page Tor-Browser: fwgrhsao3aoml7ej.onion/839158AD8C517484 !!! Your personal identification ID: 839158AD8C517484
URLs

http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/839158AD8C517484

http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/839158AD8C517484

http://nn54djhfnrnm4dnjnerfsd.replylaten.at/839158AD8C517484

http://fwgrhsao3aoml7ej.onion/839158AD8C517484

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (407) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\yuuostita.exe
        C:\Windows\yuuostita.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\yuuostita.exe
          C:\Windows\yuuostita.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:828
          • C:\Users\Admin\Documents\rtnrj.exe
            C:\Users\Admin\Documents\rtnrj.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\System32\vssadmin.exe
              "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
              6⤵
              • Interacts with shadow copies
              PID:2940
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:1596
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:220
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2636
          • C:\Users\Admin\Documents\sgcia.exe
            C:\Users\Admin\Documents\sgcia.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\System32\vssadmin.exe
              "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
              6⤵
              • Interacts with shadow copies
              PID:2972
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\YUUOST~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:268
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6A1DD1~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2252
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2264
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+dhkdm.HTM
    Filesize

    6KB

    MD5

    228dfb65da94a7c72c1244976d4e6bd3

    SHA1

    2edf80611124dd0f0962f6407a80d430d592224d

    SHA256

    23f88c201bea0ba8ebbca809c658109e735f8734824296cf7ca4b04d90517884

    SHA512

    94a5acfffcc4668690469891401987104e27928ae4b1b14d6bc7d0be13b0add9a01a9ad24053e1e7bc1252dfb2ac57dce3d6188b9dd88db79537f0ccb61d0276

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+dhkdm.PNG
    Filesize

    67KB

    MD5

    39c4144a9c937dcc8ccabd4abd71cef5

    SHA1

    e1953ece226caa90ff3d330e0d20b3faa5475749

    SHA256

    216f812c371c14d4edb9dc7bc091e24c4a2e62b30d9af926663141ab512ec8e2

    SHA512

    d60d298c93764714f33830e741287eadad60399c5cce5937ffbefec23b659fd1290e5c88a6844d83fe769d83c45b85def23e4ed61f7b2cf9d6d4383885e19b70

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+dhkdm.TXT
    Filesize

    2KB

    MD5

    800aa5d7714b5cf93ab5cf85ef723c8f

    SHA1

    38f7e1f5f0837446e99cdb8ea01e349009ab2b43

    SHA256

    069104d6fbe07e21d9bacf4e0a2943bddf9e7b58ba8c3ec335bf7d3284fe83a8

    SHA512

    d6055c90d3fed564f86f2d91b1caa6aa3b267d6ec2f69366ef9341bba467fc883f11865a26437d6928366b5badafe947ed08306bbec90b5cebc5f0e80b42062c

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    25c78a3c055cddcc8db555dba8420deb

    SHA1

    5cf8a5b0525373cc2d1208d6e0882a72aa1d0d56

    SHA256

    349432c1d2d757b95ce70328363c6a553c5331086ae5c4393275e8aed3ceb10f

    SHA512

    aded2cea9509e8e8842b736b2ca2ee0fe6cdf85e6e580d05d4650d0a0490482b1c57094e3a6f65ae85e399a86e068492c50a5874c933b006c623883404289adf

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    806d329d3f0248a1e0c3f14db68d53fc

    SHA1

    8f8f71a0996acb66c8b01c60d8ef91fcd2e3fd21

    SHA256

    a1dbcf98d0eca962f26c6bc4c4cdcaef595fa62cc3a9d71e2f5be8daf4f3b766

    SHA512

    f3c94f987e6561a27f906c0d6ac1ece9fc8bf2a27998707f1cf5b6b03cc86a6c6cf6c99b1d6f0b7bb0a756614c5b0ddb4a328041158a130faf35116b7f49d554

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    bf7d9bb5ca044cc1b3388533720fac30

    SHA1

    b550ae81cea9359f39c00cf30553ae2cf42504cd

    SHA256

    a7ba4486fd873916788bb0155b44626f1976e8cbea036b6f30f21ac13579ff84

    SHA512

    af87f6485dddf32c18b1f70f768db5aa9cf6fc404624825f74c52e267404292d3525c6f79fb09e8fd33ade7f89d932dbfd622c377b937b792dcf9e7199aac777

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    28106a6d019ad2e6609e06db5c8c7df6

    SHA1

    d4989b0e696b2cdd74b29aa09204dc00df1ef4a7

    SHA256

    225f161780a2d95dbd88962a74a560a3c96022aa496baaf0adc5780ab8c06883

    SHA512

    cf12d86653d228d30a3c20b171c4e7b467da7d3612d394101d0fd242578cbf0c3f2e952ff928ff0bf7dd63824d3becea597d0e2a810b0a356299dcfdd2ab497c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f649f73f59c3eff520f4536701da997b

    SHA1

    c358d6acb57111eb6c81f596dc76c47f76940d35

    SHA256

    4670d20b4f9661fc0945f3ea4a0284102457e1b638303bd0cebbdb37f17104fc

    SHA512

    91bee7399f86a0dbe41088b15bee2b6f374ea2f9e890b4c25d9098a694b33bb9ce9493c4af457643823d31f448e11323418259751a092a45214ef858039c2651

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7fa71e3368d01676bc316f82311f4f27

    SHA1

    a3a985082f5374a60a7902d1f960120b25aab27b

    SHA256

    ddbd0b5c90f2aaafeadf990741c21a95c4c361849ccfae39b2d79bf60321d7b6

    SHA512

    455573fc29632384dbca8f6ed6ce3ce58db5ef65e806f4c4d953478ef799f713538d048c6828cbbf98de7b70afef47d486cbec3b28cd7ba270b0de6ca34777e3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    671d378ff8f5b459e0fe8f2d34bd9331

    SHA1

    66272084cba3c328fd01b154df8b6ae19aba9d98

    SHA256

    4ed5cd4d95a5386ba795b2ed91efc73c88053a516ba58b60922573c406b61870

    SHA512

    3e78e01bc63c4e2d46578bab72b5e2bcc2eec4cc7a370d139ed26d6732e13b26f881b04108da9476d150e379b6fdcf2611e28cba2fa6b3889a1553f111cafdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    399902f2443c6da7d6f419b470b45d12

    SHA1

    80a00efcf03aa49d25a7bce8c2e09ae6282e64a5

    SHA256

    e53aa5451d775e0a712523608051a68af6205e35962fbf00289cf72f13bced4b

    SHA512

    8d253e407bc3df80f17e4322098e2305969e7a426dc4a38f77dfdf59c8147bcaddc3a9aafb29350447c2532c90a99dc3382e7a51118f987befe3b54d6244e31c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f567611847006bd61b2dc91261d798af

    SHA1

    4bf82755a7cd5b918acdefd32dbe91a10ecebafe

    SHA256

    82e744504085a9c53fa317338f4b9fdb6230902ca2e07c8299bb0463900484a1

    SHA512

    39758414afad19fcc2f8118492cdb8df703102349366f41d61e9d20583ee418f0d7f45fe9979f97f0f724c6cfd8e88934dfd407e93504adb9c2a180590a703dc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    775726dc5abe9ae227c17a010baae579

    SHA1

    da41ccec4c2bf9287586211888288c293667395a

    SHA256

    459b4a922d551be2da08dc2eaa23c359f0bef96326ac45ca6e5c178d3f381936

    SHA512

    517ce1944eac330c2bae2b49db55e648fbcddfef8e41c63850c7eab1aaf4c21d063f2770929b5e66a21917effa2175e6556212ca91bccd7aa206e74bae54479f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    81d04ee1fe812e403c90986901cca719

    SHA1

    2391d12043dce374129421262dff32f08a8eb6f4

    SHA256

    3f69ed95f40cbba2b58cbde1eeadcd8f8d7f4b71ccce12f89520dc71e4f4c807

    SHA512

    c2a1f68d04a6d734c3360df0665ccf5b352390f88ef6f9c2780db0b901ba5b0063462c0ecafbb49c5b3cf2d331577b67563260bb2b91e8c3f7cea21dc7b3fc99

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c4aa8f9d7c3d21b82bb58bc1d792e825

    SHA1

    86c1afaaea47e0f353e710f15ebc569bca628708

    SHA256

    21c5376769bb8ceee75ee1977b96221af593331f174953c2ae6374840652cd26

    SHA512

    5e4efeb578d85bf0b90e480816431a638d79e9d4f1a9122fecaf0305cc5a6d0a4de66ae521bfe814218d41d9e8038b7e67c54155a24ed3e0d97bafec684a5f4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab2E15.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2EB4.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\yuuostita.exe
    Filesize

    608KB

    MD5

    6a1dd1d327f60aee8509df877c8dc38c

    SHA1

    a2246029749e47a2532b016f80f5132f431e712f

    SHA256

    3e7affe327ebbf84f56bccd753c86122e0a1f0e8bf941547bfbcec775ab3ab94

    SHA512

    c29b9159c1bcb40db1a29cb3d91fc46e5b633db5e09ef52e8996a1d0e9900c153e6b68a7da680747215dbf0b03d34a1259fd17b90da01ff7c45cf1c4abedeaf3

    Download Submit

  • \Users\Admin\Documents\rtnrj.exe
    Filesize

    3KB

    MD5

    9dfc75037c8deccc2f1840b249b17750

    SHA1

    ee37e409cfe2b124e63f98f1797aec0330204b82

    SHA256

    b5680fd682b7f64e577492c097c825e4a5a00baa82a8668f478640c5f8918da1

    SHA512

    25e9f3546af040f3cf782b4d6c511517ac0c95cfff8b3afec407c5917427f3129c92495f95873fb67ad928a9c7ef234508ecc9ffd8835da260d8fd1e64ead16e

    Download Submit

  • memory/828-6095-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-6086-0x0000000001E40000-0x0000000001E42000-memory.dmp

    Filesize

    8KB

    Download

  • memory/828-59-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-6232-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-49-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-6229-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-57-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-6096-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-1682-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-1684-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-2209-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-5039-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/828-6080-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2400-20-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-2-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-12-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-4-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-6-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-8-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-10-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-29-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2400-18-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2452-19-0x0000000000360000-0x0000000000363000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2452-0-0x0000000000360000-0x0000000000363000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2452-1-0x0000000000360000-0x0000000000363000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2880-50-0x0000000000400000-0x00000000007BF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2880-30-0x0000000000400000-0x00000000007BF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2884-6087-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

    Download