Overview

overview

10

Static

static

3

cab485f42e...18.exe

windows7-x64

10

cab485f42e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cab485f42e842dc2bacea0a6d7688e6c_JaffaCakes118.exe

  • Size

    340KB

  • MD5

    cab485f42e842dc2bacea0a6d7688e6c

  • SHA1

    13f6796312fc00141756c9c054b300cbe395ae2e

  • SHA256

    474b715681f72984fd5f2a2698e193084a2d2cf71c66931f0cc21d145e66f8c5

  • SHA512

    c23a8f65f1ce62d010bde605f30ff74154ba6e0da20a6ee70faa79e180d0e307a24b1d8300d4b53393bef0ef2484c65b62da1c5304f07daa174c1c25f3da3726

  • SSDEEP

    6144:TUjcXma4WgQ/hWCKiFpaub1VUTJrvTCMXa+r3A6tpE32M+uPrPVJqW/Q4x3IpRFb:TUwX7CQcxub1wJBM6tLRuPrtJpB3Ia

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+wfbfi.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2EE6190EEC5567E 2. http://tes543berda73i48fsdfsd.keratadze.at/2EE6190EEC5567E 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2EE6190EEC5567E If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/2EE6190EEC5567E 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2EE6190EEC5567E http://tes543berda73i48fsdfsd.keratadze.at/2EE6190EEC5567E http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2EE6190EEC5567E *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/2EE6190EEC5567E
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2EE6190EEC5567E

http://tes543berda73i48fsdfsd.keratadze.at/2EE6190EEC5567E

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2EE6190EEC5567E

http://xlowfznrg4wf7dli.ONION/2EE6190EEC5567E

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (414) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\cab485f42e842dc2bacea0a6d7688e6c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cab485f42e842dc2bacea0a6d7688e6c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\cab485f42e842dc2bacea0a6d7688e6c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\cab485f42e842dc2bacea0a6d7688e6c_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\loavcdelgvop.exe
        C:\Windows\loavcdelgvop.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\loavcdelgvop.exe
          C:\Windows\loavcdelgvop.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2668
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2228
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1624
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:204
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LOAVCD~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:388
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\CAB485~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2936
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:448
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+wfbfi.html
    Filesize

    11KB

    MD5

    b53b2da2ff63ce8626134793e39d6775

    SHA1

    9b93cdfd8daaa47c8f1e2b97082f87891ab77289

    SHA256

    f5d9590dc5e29a5995aa444f7f8779d0e30bceb414d8875945ef86115722f8ad

    SHA512

    929ce1641b03be0da1b3ae53c5536e2b9aa63ae83bbbcf6de63e3b0a27568067c1f53cfbb5f66184da901f6c6581bdfcaa9f9fa916acabf989eac0d573135414

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+wfbfi.png
    Filesize

    62KB

    MD5

    e06d11d144dadb4607064ecd76ab523f

    SHA1

    3a51dc84239a2f6347029c80eff113491777fa47

    SHA256

    6a369769051b6723c59f63127fe8f4ea04e079d62c4e360307e0e615deb0c788

    SHA512

    475ee9ce88096201ef135b80bf12f06d1f164e57ce7e8244046aee2029cba08267809bd09e11d6398918104335a2360d6ec70d8bf2c876b3f9f586eb8a07210f

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+wfbfi.txt
    Filesize

    1KB

    MD5

    06cd8c9322993f8d1a0ef98e6287a38e

    SHA1

    09a16bf3fb6911ba1f05d0f970cbebf101415cc1

    SHA256

    b0e6be144d56093492fce231c96f51d357e190cc2636bc93ed4156200e095590

    SHA512

    7d93838f25d3222618f0de8163412f39adf5799459479204bfec56f3fcb2bf9db2490421ee1a1e0fecbd70a6f06a1bc7b81ff1c064111e966e62f3d2f1e74d4d

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    fcf8a0cbd9df58112f6a6d54a6051748

    SHA1

    7e52b512b507f33f54e1b31b2118b94487767d21

    SHA256

    7105279df818297759f9eafcea4ec2fb974d0705bb9c1a46eb7ade0d9c5bf20a

    SHA512

    3d16440615740e4cb9ba258d74411424a1e929ba0d49107532dca4c18987ed50c4347e8b3c060b590e668cc53bb6f1ebca93b534a2980f5dc9d90d470e2f7105

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    c1dbe3c22004effd9c7cfbc294449c6a

    SHA1

    a33af9679c8240015511007ef2334e0031226f0b

    SHA256

    d2f59b3ffe26eaee409e39877bec99717a16b55cdf349e35906e5b02820508d4

    SHA512

    6c3090e829d8e0aa8be3d88e697ca316b907d690dbba124fa201ef44ea30393b12ccdc276ff78d3025ba072738d5cbadc1afb7ddec5aefd06c3f4226f214fd82

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    cecba6669fc1615fec106ca9d68f8330

    SHA1

    c15ec0744f13a94878fd70a90c9948db08c793c3

    SHA256

    5bdf5cfb0a7dfddd3641726acc943b95363108a5f772cc8382e7fc517204ce42

    SHA512

    c46beab8f305fbecf641903831a6f1675ff906a40a3914c1f3b42bf1d6eb9268227c893de9f45d08fc65cacb0ba424776e1380e1be7efcd56a6bdf9a5b240d85

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    aad3be60604fa1c49e91d3eeeabf757d

    SHA1

    22ac88e4a2e6c5e22ae0b482ea1e395b5e598b15

    SHA256

    b568820895f5f1fd0b6ab0984a65874f895b6215d99c58eecd42b41733a4eff6

    SHA512

    4d683106fd8050f9e2a80192fe64ca26f540f4ff38a98b49aa99afa15e4542c74e3dd99de8bdae2deb9ca1ac76aa2e887b9263ff5c79791b89b97bda915f386d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    258cb531659d1d682ea94797fe59920c

    SHA1

    7b92646483ffa98e5689568ae67bc4ef9be5a3dc

    SHA256

    ba50aa5e460211e319112f615d24e781c0d6077ba197885ea533227690f49c15

    SHA512

    7e70d5faf981fd3c5c4b96673eab2dcde0ef876271b565d822e00ecffddf29684be81c8d76ee4523bdd710699b75f11eda1e2e5e36cfeaa82dab8a23308f9192

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7ca04f697882f009fe2038b68e3cd405

    SHA1

    1b5df013dcef6c3ab849cbd9160ade0c2bd2edde

    SHA256

    a517f9a4f1c7ab6dbd408f4b6df64efd4424a7af5b1edfc393a4ff7b6f6b9b21

    SHA512

    959ced9646645d8c485a5d465a0fb20a37ba44a3587d835a95a8ecdfcec84bbf8923825eb124c2b87266583b6dacca6dc34029be80040a59c6bb64edfd0339e8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0bfe8f034a87dcba110561d35c6281cb

    SHA1

    1bf8a82f4f3c8e8997c13370dcabde1873087831

    SHA256

    f5aba0dbfedfffc5caba4387b37d29c4d466fbb0670b2267f7b3d61ae2b7f6d7

    SHA512

    b178bb6e4ee0afaa841de1fd94c03165bb7166feebc020908e4e6add001fcd539485f39992c38309aa50214441a6e859870039c02617e93a3e497bd7d19f600f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bef69c01cdfdf627e23490ab7014960f

    SHA1

    405253089f3145c5f8f2e9a629fac79ba0baf9fb

    SHA256

    4340741a0e0ae28da6d2c86cfb466c77279278f55dcfb873c2540795e692a06c

    SHA512

    f3bdb2c5409af447ad9d416c9bae17904abc652f3edefd7e2c3387fbbd04fa9443dd70d8e5bf2d46c23b2fe99066cfe80e4c4a6b30e9b5266fa4211cef6d29ee

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ab008098a3e2448a08fcde1c3a1455ca

    SHA1

    052bc11cf1599201215cdfdff83c5b1074a3ad0f

    SHA256

    5730cd95e37471d169c81a10a2872f8ea2d17a15c9197e8321f3dca3c2a3f2f5

    SHA512

    39a9a0cb326790e9fbba2599eee4318676ef6c5b6d1ad0279f2b79d256a81ae1b2e16572f2edf3aeaffd5b64cefe1582cc926382f3e8a6a86278e9150719f7dc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5621798e3c93f370cfcbe3f9605bd97e

    SHA1

    c7976569edc99a3999ca3352481264d930beafd2

    SHA256

    46d2eb517bcbfea33e9484657f9b658286629d9aa7ab057a1a7a144a0236f1ec

    SHA512

    598fea0660c53d298c2f9272a86cc29419e4e9f19d8ec9f16beb48a66a25b166135180e81e5b90a647dd339bce49422c10176b0d1ee8d702681ac2d65cc60216

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e4c6ecc1578a8c395ef9b27e1ab4286e

    SHA1

    bf5726f414b390f85a08b0752218e519c1a8d0ca

    SHA256

    899616096975b7ce91f457b807f279a806480cb26ad2d91268143a1c0a809fcf

    SHA512

    6d4e3b48a4c0eb9e33055507a8427fdbc21efc6fba2c73839364c1883282779d7b9948baa554c74c6781ec1299d8faaef9fc27993c234806e959082c2e0285a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab8CB8.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8D67.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\loavcdelgvop.exe
    Filesize

    340KB

    MD5

    cab485f42e842dc2bacea0a6d7688e6c

    SHA1

    13f6796312fc00141756c9c054b300cbe395ae2e

    SHA256

    474b715681f72984fd5f2a2698e193084a2d2cf71c66931f0cc21d145e66f8c5

    SHA512

    c23a8f65f1ce62d010bde605f30ff74154ba6e0da20a6ee70faa79e180d0e307a24b1d8300d4b53393bef0ef2484c65b62da1c5304f07daa174c1c25f3da3726

    Download Submit

  • memory/888-6081-0x00000000001F0000-0x00000000001F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2156-0-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2156-14-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2484-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2484-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2484-28-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2484-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2484-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2484-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2484-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2484-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2484-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2484-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-1629-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6074-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6083-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6084-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6089-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6092-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-6080-0x0000000002DE0000-0x0000000002DE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2668-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-4888-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-1628-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2668-1395-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2776-25-0x0000000000400000-0x0000000000564000-memory.dmp

    Filesize

    1.4MB

    Download