Overview

overview

10

Static

static

3

a265dc8ead...18.exe

windows7-x64

10

a265dc8ead...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    a265dc8eadb3cd340233953eaaf4c15c

  • SHA1

    c67a84227d4d85565ab8127f711b2610b014e27b

  • SHA256

    32b673822967ed3f38c8a8f63a21398b6e04a3c3af299ee7d5c03b971015f107

  • SHA512

    2d2fd12cd7e521df87ea47902b7a266cf440385edf02ad1610ec2457384fb2dce41014fdf2347252a9d7667102916ab8a173c36eb4da869e6eb2150c00fd06a4

  • SSDEEP

    6144:i4EoMNAWiA9LBShpOGmt3CImh7dRZQ/f+WNZN0ivkcMM:i1ASx0hpuJmhh/Q/2WN/2nM

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+yqdyp.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F4F26F6A4B341D10 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/F4F26F6A4B341D10 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/F4F26F6A4B341D10 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/F4F26F6A4B341D10 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F4F26F6A4B341D10 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/F4F26F6A4B341D10 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/F4F26F6A4B341D10 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/F4F26F6A4B341D10
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F4F26F6A4B341D10

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/F4F26F6A4B341D10

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/F4F26F6A4B341D10

http://xlowfznrg4wf7dli.ONION/F4F26F6A4B341D10

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (436) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\qdshfuorfory.exe
        C:\Windows\qdshfuorfory.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\qdshfuorfory.exe
          C:\Windows\qdshfuorfory.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2696
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2052
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1700
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QDSHFU~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2452
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A265DC~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2824
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3064
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+yqdyp.html
    Filesize

    11KB

    MD5

    3cbb9853a0396b160709be8e00d303c2

    SHA1

    bc58d875d4dec5b576c9523cee438f1c115fd235

    SHA256

    e3ef6a424c4b3ed033b7f5b22c3f97238cfd33c55741cbc66403bf2efa337996

    SHA512

    5a837117228f6caab32570b8ab7683b4541512e4b99f88a4572e6f41abeab18e7ae78749748f3b5eba9d0e69ebe3051b6b2ddbc8a4aba55094a509a007bc1b48

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+yqdyp.png
    Filesize

    65KB

    MD5

    67ca7546be40448abd4776d5b7c69feb

    SHA1

    ee7ecb4e37e7fbc811ac7829054a1bdc9ab49b39

    SHA256

    808ac8deca2514792d101d20cdc68c716882b4296fd1d84e9e54317ea85a98cc

    SHA512

    70fd8712a11337c921c2b34a93b5dd051381bc1436b176dd4b76bfe51d0a414f2cd3283a68f37e981ddedecda011245232c29aa8b0c91b9c6d337a1a52fd77f7

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+yqdyp.txt
    Filesize

    1KB

    MD5

    7b3dd3689def96a0db947b3eb3b4a9d4

    SHA1

    531c096f239009e249d39ea29d8a4f0d99205d2b

    SHA256

    7780543ec68f3508f74d70ae9853b2aed2bc872b96011f7c8dd31a8a70a98dab

    SHA512

    8b7eb123b701fc48e37286a2a246ccb8e009a648d419892b1e3725840795e63c273de65366a590639e3aeec10ca78ac8b726b5f4e73faabc8b5ca34bd11c4be7

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    41eea5305c53f26b44a6c23d0f107c3d

    SHA1

    43bc7a8081aed88bf484bc3168fa4719be9a31c7

    SHA256

    40fd139a2b29aa9d4473c5a95b3f890874b5a81bea6bbdf1a39bf41b267b4ea3

    SHA512

    8a45432eef08db4b2677bfd2bdd982ba275b6880ea4ae855ea9847641677a97e63a048123d5e6b6f85fb46e0fb61197d3edad66658b42af290c6bd4375adff11

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    ea0a8dda48556ad6210fd54d4de3b456

    SHA1

    e9514d36a125e340051e0c724ad0da27f2e9174b

    SHA256

    274c5aa678fca7262e613fab430d806ec0e4715be30e2c9b4cb0bfd3e6446852

    SHA512

    992f793003d3265803d77c64c41a111fe9264e828628291447b6c46065e5369cd8c581d501087f2edebcbded1be04e47bbb8fc334110acc916224ccdad84a166

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    c34bbb0406d30f2c9e1322ed6a2046c0

    SHA1

    c6e14ac14a618fbc0dc774d9f86795c1f139da7b

    SHA256

    b65d4c3a55ca243825cb347c3a572b30fa8c8bba2932638e80b6b811a51c5b04

    SHA512

    2e5745e8eee81aa4c5b34d867210ccb346517e02343d8fd28f0aca1421c6cedcc8778aa8c8687f3328b401830aef2f5da20845ab2655cbbbbc5eca7bded79fb4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c914bc14d95d8e73c964238bd8fda8f3

    SHA1

    d6c90795da9d0c358d9b7041d0f3395f3427407d

    SHA256

    860accad59206b33cb90f9e6579ed692df435900d9ea977009955531378af4a8

    SHA512

    dfc1b386d4c37924d51f071619f5d3acf963490e6d9686eb93724e0f16bee4a088ead444a6d8415e8d079ca01543e152e3e1dea99aac942e6afe15cb961170e4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3bcaa1d32a7c016bef53b16c8c8fa8ed

    SHA1

    a97436b6aee55b23484ffee1962b6bded8389243

    SHA256

    8a8f0f9708f894046f4b4580357a9212bbd3e410c8c9bdb22eaa42cbe3b5dc0d

    SHA512

    e5d1d3e7cd5a7f9b45e1ad3740a8249d2553ebd3f4a4ed5531e9573b3d9ec8279f2a7279f95a13be40a2652225638996ca71777fa44d4de223832f3deff9e0f2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    76dff85d45b6ffd5b87dd8764b41a97c

    SHA1

    759d085a9f2f1b906fb773271047336ba92cadcf

    SHA256

    45bdbac24fdbebe91349624f58bfc54515fbebff0658556e8c517cdd44f8f152

    SHA512

    a8b0480159e589f6b5363e13ca751e4467cd9f002b00e0927b45efb1c26b56b05fe987671ffe4e8a1a387127abefe7f01d37517a59cb90d21da4c225c63ebce9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2119857474f746131c475f98fd7e9cc4

    SHA1

    7c0a4eabb81b7d2fbdd1da9ee13f05dae278de19

    SHA256

    730e6e249232ca615d3e4b147a55a24e773093f65f92fb94eb062e8103fc9dce

    SHA512

    a873a66664fc59efaf2df4cfeef991890f8d93fa30ca4e8b2370210da4d798931a9fee5c26e21bcf53fa3b4fdad87a86cb9efe1a0c7ebdbb4226038845c71e35

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    74f4bc584c5b830e0590cc2bb0c9b132

    SHA1

    06223d05e7a42ebd58187952c47899f4da86390e

    SHA256

    e569b70dfaa987e4c0ed921700eef900bae91c789034047ff2d791a97009151a

    SHA512

    0a837165d0d9b98d45a62f52582d00d1c80213c23b9cbb5dfddb7477ebca10ba150856d7b12db750f5502af7f455bf78584cf3fcbe71cd6c8e49adc798dd915b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e2d36b2bdea8a1e9025afbcd95799748

    SHA1

    19920a50205d898e4c2d8546d03a2253aa1fefce

    SHA256

    4d7a89772297a645c20fcd8ad6dfa09ae71ee30b9128098b92e46a56b240e03b

    SHA512

    6d0c5df1d812e590c45e05cad2d7103773bc1d427698fe06d4f4c1f9cafc4c4eac70463518568082699eb37a84da90fbce8270f6927abe4f5887b3c58187d358

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c98b066dc11feebfe1fb87da43f554b6

    SHA1

    612fa052516441baba2e9a34bcb28c40d8e10be2

    SHA256

    c54c5db5f1745e8718667ae4b9dc5c5b4f0ad7c8d1ffdd237ffb1f7992ad1245

    SHA512

    2b68a2ca24357c4e1a2210ea7cf49150d208f23263bcda36400737557a01264cdc215c9a5c77d31d563f96f7062277f49d590de34c461dc3779089ccf5a85449

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0b94db20a8d41e0e692afa294383e8d6

    SHA1

    6f16340a1259db6007501e8a0cc75706165ff491

    SHA256

    2b5f98619be77e9c0668d2d7a3fc0a46d155d2e5910499514600c46c9ca1d303

    SHA512

    f574dd368c4c705b4e208d0c501730127a10ea65ad155ea64a8aa38bba2bad5e42c06382d48719776c4214c9d95e27bc6e16ad729efaf0a3b1b696e673b13b9b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b52187adca11114b88dd2cdda16e8f44

    SHA1

    d9803682017e75660343fbe0b5ce5b7b0c8e075e

    SHA256

    cc19118cb2eea6d14009aacb2d398c22821b50d4a494d5bf56412c299af721ae

    SHA512

    c9c431806318457ddcf0f31a9a4101e7740ef1776661688ea485f89a1632012e98d7e1069c739cc8354424cdab4f9569b3f75c7afc723f938644503b8503357b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab791.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar87F.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\qdshfuorfory.exe
    Filesize

    276KB

    MD5

    a265dc8eadb3cd340233953eaaf4c15c

    SHA1

    c67a84227d4d85565ab8127f711b2610b014e27b

    SHA256

    32b673822967ed3f38c8a8f63a21398b6e04a3c3af299ee7d5c03b971015f107

    SHA512

    2d2fd12cd7e521df87ea47902b7a266cf440385edf02ad1610ec2457384fb2dce41014fdf2347252a9d7667102916ab8a173c36eb4da869e6eb2150c00fd06a4

    Download Submit

  • memory/968-6136-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2192-28-0x0000000000400000-0x00000000004CB000-memory.dmp

    Filesize

    812KB

    Download

  • memory/2368-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-31-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2368-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2372-0-0x0000000000220000-0x0000000000225000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2372-17-0x0000000000220000-0x0000000000225000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2372-1-0x0000000000220000-0x0000000000225000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2696-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-57-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-6139-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-6135-0x0000000001E30000-0x0000000001E32000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2696-6129-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-4380-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-1721-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-6138-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-1526-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-1525-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-54-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-6473-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-6476-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2696-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download