Overview

overview

10

Static

static

3

a334ab3396...18.exe

windows7-x64

10

a334ab3396...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 17:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a334ab3396ed6d7d152c86a41474210c_JaffaCakes118.exe

  • Size

    376KB

  • MD5

    a334ab3396ed6d7d152c86a41474210c

  • SHA1

    d92a16044e1a34304d9c8f722dfc1a685eb67094

  • SHA256

    cbbe450bc39c7c5f00140f416299c0302b890c516e80a51e2f4db40362c6aa8e

  • SHA512

    ec455d4bef69ac8a11461b2efdcb4bb5370a85efc81a773157717ab6c8022cc9e36e55d6aab642c21c157f2e8301e8232550661502e01a25234c4121388496d0

  • SSDEEP

    6144:Ze3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:ZY5hMfqwTsTKcmTV5kINEx+d

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+igxwx.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EF14B3F6C541604 2. http://kkd47eh4hdjshb5t.angortra.at/EF14B3F6C541604 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/EF14B3F6C541604 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/EF14B3F6C541604 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EF14B3F6C541604 http://kkd47eh4hdjshb5t.angortra.at/EF14B3F6C541604 http://ytrest84y5i456hghadefdsd.pontogrot.com/EF14B3F6C541604 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/EF14B3F6C541604
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EF14B3F6C541604

http://kkd47eh4hdjshb5t.angortra.at/EF14B3F6C541604

http://ytrest84y5i456hghadefdsd.pontogrot.com/EF14B3F6C541604

http://xlowfznrg4wf7dli.ONION/EF14B3F6C541604

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (417) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a334ab3396ed6d7d152c86a41474210c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a334ab3396ed6d7d152c86a41474210c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Local\Temp\a334ab3396ed6d7d152c86a41474210c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a334ab3396ed6d7d152c86a41474210c_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\ntrrshngkbht.exe
        C:\Windows\ntrrshngkbht.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\ntrrshngkbht.exe
          C:\Windows\ntrrshngkbht.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3040
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2412
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:832
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NTRRSH~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2744
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A334AB~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2616
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+igxwx.html
    Filesize

    7KB

    MD5

    d65d276f8515eefd20fee9d79953cd03

    SHA1

    12baf9d4e8abeed21041d974bf33334efeb70904

    SHA256

    a1a637d9a5c507f47622ce18c89b008e90e4ff51b4d3b9e8b1ef70bb37ab0dc3

    SHA512

    6f4837f169918094300251c63f9657daf4c8223c9dd85f22805e09029bb8740cf91d014a516b640c25d04160e6fdf6cf2495c16e2bea3347b32a0663b9a29de1

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+igxwx.png
    Filesize

    62KB

    MD5

    10ebeaf7663c4f47b64776d3c322a57f

    SHA1

    b1ea5cfe6a370e50c39de06243870a20f77c21bc

    SHA256

    320423d3a8b2f9c535dfe1c4b5d90225d19d5fd5047d5177bc2332c1e33fe956

    SHA512

    6fc746210270f42ed2a54172629b092f3dab634d379ee51d005231a5765a5b4102c0e6d8c83f4f150562de6797ee38d881a5151c8bb6d00d80b618d209c3ce52

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+igxwx.txt
    Filesize

    1KB

    MD5

    66d68e914365d5d2bef4beeb4c6e21d8

    SHA1

    b0be78af99454869637fad0d101efa8495de99a6

    SHA256

    536d278cb6bfa163d55e6946b49d89a0b4670ec0d75034d61a25a7f54a8305a8

    SHA512

    d2b492c91df29185b33e110c3bb682be968cf2640648d15a1ddd3ef4034239a703510de34e43912320b17732fba350665c03d955435b22aa01b4ff95a0bd769e

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    e0c5d68a452add75f5fad46deb0bf583

    SHA1

    2786ba94edd51a8fa6d0b597d028ac1606c061bc

    SHA256

    ad815718e0d7a6370c522ab493978bd7de12ce2698af0388e8a91d37e28be942

    SHA512

    112c7a566fbb68d7029b6e8ad5ee5fcde714b24946cce5f23c2e54f2df7228bd2a0a4c5741608ff470511a92f9bd550dfe9d5eb064eefd73dbfb7beadce0534d

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    99776ad66fc8c57b81df0a60cb2d880b

    SHA1

    556a0f95eb89b6e845522eff74a8ac9eb57dc3ae

    SHA256

    09f8ceca2ee0090044949467557b9a7cebe18a2bb53fff67258c5f65993b4b77

    SHA512

    d0fc711878ace4ee4ee710ded2f02a3e362e78a06deb8ee116cde82fae6c999dd919f91fb48bbac1fa539f2a73055acbee16dc8397632c4d183e0dd625b85324

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    ba70f498263ba737f4588c15e9445f9b

    SHA1

    5987c83ed654ed76ef4f342ed7eb590087af89b2

    SHA256

    d2b9198459b30a0093a6ab7b8081f7c0daa8bcae404e40d6a81471fb1169935a

    SHA512

    ffb68c8a099e3e634aa43cc8d4470aa742b9c21d8c650732a11a7fb8086d8582842eb79994bb469e6782e949d3f5956099c9421d79414d97fc0b02016452304c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3bb297be754d1c303f2c833965a6e235

    SHA1

    7aefc189a15eb160fe14336911e1852961a4950c

    SHA256

    0a7d995dc879867256abe20f0238a6a04bd1a093cc9ba439163929eb9252f5ae

    SHA512

    a5cf18f2f6e3c3477b59b721cfe7195c5d453440d8ada32a999b9b0811dfadaa714cb9c2343dfc8ec0c8cb42144b27d4cae442afb78ff37507e71cc11d027125

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a62937bff64f33c59fa2fdc26edc59e1

    SHA1

    6deb99146bbf5f2421de5b87723d0f27f856470f

    SHA256

    f666c68145871affabf99e04da7fb8f09bf95c0dc447f5c3e93a483c7a51913e

    SHA512

    bdbde755bf512f5f0c7f7dc904b61f3e3e7832dd078943273c206a61564db8efb72c9c10103e6449d6eaf003fbc51daedeea9fbdc25f63ac8c6b1da52296c760

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    53ee0ba850fa153069bfb68ecb2ace78

    SHA1

    cc8479a1ae68af4f4a01875edaaf6695bbeda17c

    SHA256

    3ba89aa368eb00e3192dedafb390d61beaf4512ac582dd3113ba87924ba07a70

    SHA512

    686312b3fd1c4eaf2ff53497461d7fc0bda27403569adf08189b313f9f15136cacd9163bcdc02ab8176e0c0d7fbeae14270130c3b6a030ef4d6252f980815fa4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6fdc45b9a25a13de452e3dce49b45a9d

    SHA1

    e8196e41cdad0a5e5babb8cad11832d9176849ad

    SHA256

    3d9ac3a047e27e318198454fdebdff9c25f5bf9e2c48154ae76b46fc0754b92d

    SHA512

    a9e1dd6496438fa88459ecc63067974719fbf12faf06dbf7ba2b842ab4306d2179921c675eb643b9fba54eaf2aaa4fb2eb1055733146752ef6146e797de2b82a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c14d0c3c3e989ce2c609df51fb70c438

    SHA1

    0ae6b0d004e5a8d18c768cecd861beee70b16200

    SHA256

    1b48ccbbd6f5af76acbfcf257f42f30bc97524202f71560c3c99e0ff35e1041d

    SHA512

    28c6a5ac3f2a007ce07ce0ace8002f0e28127ce0e788217d7fe39f019f1ed3953795aa8ae5e4cfa6db73df3fa7dca919d1a5ed5352ba5b3e8884899e1e8989fe

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c401207f1f5a588c91024554d467c281

    SHA1

    2d66ac3022485094bf8a1ea5930115148f4fe1c2

    SHA256

    f8ac4886ae430719384986e75ee35848ec9785ce3c527dbd9ab27227f379ce1b

    SHA512

    aa377bead1fda7e3c49cdd36384a1b938e23be6aa4e9b2533c1c30858bdc216718eb6c3359362ef20d48d0254518b9e494bd8c3ef2a0c95a50815de31f3fe9b9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    84b91be2a70b4a81de02e6a7714dc472

    SHA1

    bc1518da2862887ab90ee91ccd3657b937930102

    SHA256

    cd8b51343ea00d56bc2f6f36877d548b79db04490439ed0e9dae521782cf5af2

    SHA512

    d7f1744bfd93a734e5560ecaa0d853cf5ab0306498994e7a4f4e77ab35077ce35c80fe773c9f89fef86d247e84d253c5ff9f7e228f9d531ad201b7e2a3eb505a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    81484cd4c40d7b434b48cb5ae0870b31

    SHA1

    1e89b82da2844577252bbcc7715d04300375ec6b

    SHA256

    91d24ed5208fb5de1aecbdd9ce24ef584d4933b4c76732b9e6e1f68cfe7ca57d

    SHA512

    1bfde152282994ad5ae81af0d55a82186086440d6bba7c0bf67df22ea79db74f52400c23edd7e9f9fa8c022a44768a4d51c13ac3cdb09a16a177fae520e03f47

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab6088.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar60FB.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\ntrrshngkbht.exe
    Filesize

    376KB

    MD5

    a334ab3396ed6d7d152c86a41474210c

    SHA1

    d92a16044e1a34304d9c8f722dfc1a685eb67094

    SHA256

    cbbe450bc39c7c5f00140f416299c0302b890c516e80a51e2f4db40362c6aa8e

    SHA512

    ec455d4bef69ac8a11461b2efdcb4bb5370a85efc81a773157717ab6c8022cc9e36e55d6aab642c21c157f2e8301e8232550661502e01a25234c4121388496d0

    Download Submit

  • memory/2344-6100-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2636-0-0x00000000002E0000-0x00000000002E3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2636-18-0x00000000002E0000-0x00000000002E3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2636-1-0x00000000002E0000-0x00000000002E3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2748-4-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-2-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-8-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-19-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-20-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-12-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-10-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-6-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2748-31-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2820-28-0x0000000000400000-0x00000000005EB000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3040-1670-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-1667-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-6103-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-6099-0x0000000002AB0000-0x0000000002AB2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3040-6093-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-4680-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-6168-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-6102-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-6173-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-56-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-52-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-933-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3040-54-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download