Overview

overview

10

Static

static

3

a8e0b0186e...18.exe

windows7-x64

10

a8e0b0186e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe

  • Size

    356KB

  • MD5

    a8e0b0186e5159aa8a772e8d4169d3f3

  • SHA1

    7c1f0f6fc4fd2669717e632652ff8a99fb093e69

  • SHA256

    1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e

  • SHA512

    01fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa

  • SSDEEP

    6144:rOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:rFeq0F+PzcOLyWRsHA93/oswe

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+fgsml.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D39F55CD7B8F40DD 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D39F55CD7B8F40DD 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/D39F55CD7B8F40DD If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/D39F55CD7B8F40DD 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D39F55CD7B8F40DD http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D39F55CD7B8F40DD http://yyre45dbvn2nhbefbmh.begumvelic.at/D39F55CD7B8F40DD Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/D39F55CD7B8F40DD
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D39F55CD7B8F40DD

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D39F55CD7B8F40DD

http://yyre45dbvn2nhbefbmh.begumvelic.at/D39F55CD7B8F40DD

http://xlowfznrg4wf7dli.ONION/D39F55CD7B8F40DD

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (427) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\rdsgmcoenjyy.exe
        C:\Windows\rdsgmcoenjyy.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\rdsgmcoenjyy.exe
          C:\Windows\rdsgmcoenjyy.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2116
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2824
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:236
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:408
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:408 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1352
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1796
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\RDSGMC~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2468
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A8E0B0~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2656
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:788
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+fgsml.html
    Filesize

    12KB

    MD5

    2d5667cbc789d5d17ecbc8acd7dd4c4a

    SHA1

    8e26a265bff8c170c0a309952f279c70273f7580

    SHA256

    efb240c9fa23b0c4958dad4a7f322a0e62433e169e3a8fa48dfe764dd650f65a

    SHA512

    daa52e31e74b30995c02107c2ce78e9d8869c139d19e4858f612fde61c6298f66f5c147dabf692a66c3996430dd95eb06253f3693b5e151a67b0fb33e35b0b91

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+fgsml.png
    Filesize

    65KB

    MD5

    bbe20b45d42c95a0ba8282e10d548b40

    SHA1

    5ef517f1eff9287781a54f94cabbcc8dc6bb31ba

    SHA256

    f113c486f11cb5ee046c7df05446a22720d6d71fea1d106de6f5c4d7291531e7

    SHA512

    1d005ec5e7373c34d1286e8c8cafa8d97c8fb0449fa43c972e9efcb213e7f7b623ca2251eb080e4b106ae1e44fe1830f2998a78fdaa32549b11cbd4ce0fed0a3

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+fgsml.txt
    Filesize

    1KB

    MD5

    5e90e4c6271fa5868872cdb857bf50bb

    SHA1

    0be1cc8c6caa6aced49d6822a0303e664fd680bf

    SHA256

    9e89b794818ac6dc953deeb9d478b95bc82dc34d50bf7605e6b7834cb5ba15a6

    SHA512

    e6df272862de771edd533d2f90b18285b854d49a33b69901e04cf8729d394c18cf6643b3d3ebb626a39af58da0f9823481017eca1c2d22bb1ddedfafe4cf68be

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    f53178040942c45a9e3bbc9cbca884a1

    SHA1

    a3cb1c31dd80823720f31ce30a0e1037a5611f1c

    SHA256

    df0b5e147a68f093bd4299ac3b5143ac2a522c204f736100fd4a58cd3a4efb12

    SHA512

    df4ca75f59cfe8486a6fda8ebaed75b27d850c26a396db3f184b4b00269c7c013ddfa26b05753373ad2daf36459adc9a2ec44ff851eb1051c573817e6d105d1b

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    454120018b035de5abadd1689c809004

    SHA1

    639f0e58ba40acab8872bd65f2ce901e51c825fe

    SHA256

    1a76e4ca560c62d94710f71419619cddc8815645a6b5cf6d739c83e9db224288

    SHA512

    363b43c4fd3cfa11e732cff4b34e6141c5fc8e606cb5332a8175107f5c22142e456ca62e198e14de30ab233018c9a6219b03289f3f14572e3771daae5a43f3db

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    9a21a94490ea49c58236e1e22bbe4339

    SHA1

    7abebb38d108d441cb196c6cd4eac46d0f36b49a

    SHA256

    283ddb7dcf16e97fdb423268daafaa8919c45115b6c0afdbad716e4dd32b30de

    SHA512

    b3ba9f12222f5f0461a1836a262148fa4f88fd73c073cfeafebef3c061c385fb25e0a7b7357c10dd7e5902a3b60b87a8a7848dd32b86ab072a0630ea4518fff6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    98416cdcad332fdbf9a9f212369f832a

    SHA1

    ead0bbfe126ee136f31c6ae5c8aef33b0cc106d7

    SHA256

    c6d8a552843df06adca40f6a210ecebddbc0905123d69474ed814d919c6ae9a0

    SHA512

    b708692ee84a0048678336db964e4ab1b79bb02a912e75969ede108e516afdae326f82fb11d36053c4df925a0f5f42616e3d45a62dfefa39c5f56fc1d589c3a8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4c46b4ea94c0a8d98b4d58df344ad18b

    SHA1

    a614a5e534fd88d95e31b152fb8d1e5e41f1b0bf

    SHA256

    8e7719ee67c49bc4743e519ade793d6ec97ac6ac5cfb803df5beb61f95c8a12d

    SHA512

    54ccc29b9b87509c8be5099c977791608d9ff6874d130057c648cf7ae1707e0c8600342a4ae8310ba9b024547cc1829578bd91f199ac92b52ae49fa71a073b1e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fb394c1f7ec2214f4ab0b2d42b146e9d

    SHA1

    1d6c1bda9308859aa57d4ce1cf3d760fbbe99368

    SHA256

    98976410e46bd8cb2c5372d95460ed87894c2c16ced5e0df0728e7593e136d01

    SHA512

    2c40311c1a9d25a4fef319e13823454a1f9e3988e29806ab415dfed2977b21abab22bf14b97ac9c5043d2fc630ce43745b38199e86d8b7c1d3b3a9f9783715e0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9f625e4d3d215385e02f89e0e9758801

    SHA1

    f9420ab2cf5fddfc2f66f443c280fada194852e2

    SHA256

    d7e8b557692d616a5b7faf8626de6f057f9d4da50fce28b4f23618a23104a183

    SHA512

    c2d7240558bfe8b545ef3c80c8c3fa8d8d1109818557bc3fb1467fa86c0a3f899c727e072c3440dda14532fe01dfcff73d7012c8145d238a4fa5ae6578b0f6d3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    822b91e019321aec6f7da5a9b2185c36

    SHA1

    ec8b96b19e29f7711990ef43e23aad175b398e7b

    SHA256

    cf1dc73276e64846d23755d0c96b8257f8f741ce0cc0ae5b95e833a3995fed55

    SHA512

    c2e01d7c5ea3b704ab0e293bad3d81af11f35aada38324828444eef41d870a2db63228132dce63d4d5f5a2ff755d29f04796c5bed627e133cbbd43e297b228ab

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fbfecd482dac9b6d0c34a84639b9aadc

    SHA1

    5c9d4f1d3e460be63f804be81feb1442ff204e72

    SHA256

    d2fb9b5ff050fce0f0f7959b46f605b573a5ceb63b080975f1eadbc1328a50bd

    SHA512

    d8a8d49b2acedb4a903f834aacc3562782e832b87a00e6fed9037258eb2d038f9774b45be78e682cd9f00628ee18b634678b029c5c933795948defb59ac98409

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f7e2626cdcae3394b5d0d7ba6a303e42

    SHA1

    8fc0d60f9f3954a90dfb9df21c761f41fc1a39e7

    SHA256

    407a62586c10b8cae40d359ec52c82b2d7a2814e05bf609cfa4c6daf252513a8

    SHA512

    290ef6b80e43fdc73791d883c2952116dba35ee8415ee92058d72a73c44df83c99217184df04f5acc6b93e8a037caf284554f861a999adfd54a32c998359a360

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    84db9b58176aaeb1f2998c2e752b9e80

    SHA1

    34753aae5bd688f5fa9aa24c8b392c91f818bdb0

    SHA256

    670c303acab5c53027c4f100bbe7b20a17fe1ec3aaa596ed44167b9507187cf7

    SHA512

    cd262718fc22a5b20a1cb3221e9354dc88fdea605fdaae8615ebf9129788ea772c5c127d3d1996a4764df725c58f5149b9362f865ccdb23c165707f3ac14afb6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ada83d11663ac4276293336fdcea43eb

    SHA1

    4cea44dcbd97374b68c7f80695006ea9296e4f77

    SHA256

    24111962137372738d499115cea3889d380c8348fe3af79e809799eaac1f8ad8

    SHA512

    9da1937b94bec832781f4633a03003ab1aef84cab1f0d42001fb13c8717482cf1ebd2c8e4fe6802c64310f7c168a072e7273276431526c8183323f759ce7699a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab5CD1.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar5D33.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\rdsgmcoenjyy.exe
    Filesize

    356KB

    MD5

    a8e0b0186e5159aa8a772e8d4169d3f3

    SHA1

    7c1f0f6fc4fd2669717e632652ff8a99fb093e69

    SHA256

    1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e

    SHA512

    01fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa

    Download Submit

  • memory/1940-6125-0x0000000000140000-0x0000000000142000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2116-6132-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-1917-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-54-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-762-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-6135-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-6127-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-1918-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-5131-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-6118-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2116-6124-0x0000000002BE0000-0x0000000002BE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2280-17-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2280-0-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2280-1-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2692-28-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2864-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2864-31-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download