Overview

overview

10

Static

static

3

d3d85f14ec...18.exe

windows7-x64

10

d3d85f14ec...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe

  • Size

    360KB

  • MD5

    d3d85f14ecf91860db6d7e8bd7d48430

  • SHA1

    faf1f9843c253b06b9dfabf7a9e5d365e60094ca

  • SHA256

    ee5c846448eddad058793075600dc9926997b62a3a8d56432a6c059e9b1363fc

  • SHA512

    16796001fd2fe9001c5d5eb8b077907a9d2bd975de7162c78da3e688c7588532268b18b220e60674c59890a3d4e55cbbbadda08d7ded0c19025be9c2ca6b5448

  • SSDEEP

    6144:oDDhiP9TRiDh3pVFEy46iYxtLgVbYYwGaUMMJZmzAlxoYmEk5eyL/YsZQf6lMenT:uk19iDhZV2yWYxtLg+Y4MJZRGf5J7Ysf

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iivxa.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C075EB98242BB3FE 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C075EB98242BB3FE 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C075EB98242BB3FE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C075EB98242BB3FE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C075EB98242BB3FE http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C075EB98242BB3FE http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C075EB98242BB3FE *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C075EB98242BB3FE
URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C075EB98242BB3FE

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C075EB98242BB3FE

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C075EB98242BB3FE

http://xlowfznrg4wf7dli.ONION/C075EB98242BB3FE

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (407) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Users\Admin\AppData\Local\Temp\d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\mtymfuqxbooj.exe
        C:\Windows\mtymfuqxbooj.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\mtymfuqxbooj.exe
          C:\Windows\mtymfuqxbooj.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1856
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1564
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2752
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1612
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1448
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MTYMFU~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D3D85F~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2860
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2512
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iivxa.html
    Filesize

    11KB

    MD5

    697e1a4bc6175b180d5f4017cdcd15c0

    SHA1

    b125f6e5c1c5c221165213ab0a9bbbc6aa28003c

    SHA256

    c1b8856f89845bf7bc1f4c835baeb645de9b5f0c5916c0949797731dc948e9d8

    SHA512

    a1230b0063a359fcbffe24a6e59ee923bf9e6837aa562b31f9cc7af83359d2429fa7deff7a7ea26005a3926c902bde8a104867d90c4e4cef772b512532b1feb6

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iivxa.png
    Filesize

    64KB

    MD5

    dfdf6f9f06f8422825c6eb7869634090

    SHA1

    001398a542e983ff2319d9c45df4d28695c736f2

    SHA256

    9afe40c9ab8dc19d8833cc3f101372dc5aa85275463e5d9cd68dc5db5a862243

    SHA512

    de6a0ade9a6cc9af031ebfce13b2633253cf1e2f8f13db37766cc69809e664f1239595bd23d8bebd8ceb2031550cb07789986152b27be8f84bde2db1fd5b820e

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iivxa.txt
    Filesize

    1KB

    MD5

    26a8572dd98594b4a215144514568362

    SHA1

    49187eb1e88d36bf5781e367a348c7177323924f

    SHA256

    f18fcb19d3e06f0e168f6ceb8ea91a5d137d0df88935db981a611d74496c66c7

    SHA512

    87317b57635128f33933d8aabd17a67cc8746a058a670cd8984c494f4acb04c682dca5b0aaafac9d5df9ef5383d6a7efecb3013473fa1bb4e0b21dfc70fb4a4c

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    b3125e0b09e831734a30e44b1fa0d681

    SHA1

    45a65ce6fe5d0970433a581372d4c1161497f8e2

    SHA256

    69044a4ac42bff6626a0f571f1e2de36a60c4c7c017c7c9dbe0f0a5f8c6fc616

    SHA512

    cf3f01d54a01e0d5a07608b25e9af4380b6a65954621b3c3882f9b444fb9f29caddb70789efdde11049aeda0c029f0ef74bdbeb1c39379689f10baa7629d8aa4

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    00b800e63f0e12aedc0d21dc38b6a537

    SHA1

    104ccc646b51a98ed6dc9e23023bfcacad83f181

    SHA256

    203f9114ff4d10453041752b99193eb667862dd50c9e799a37a387b4d4d008c2

    SHA512

    75bfb892930b02b1c65f8232e93ca5fbf7e0170f82c4aecf66ed4ccfd4c96048ccd593898bf443e568c0081ada50dbead2d5e2093fa445d597e26e5909ca29b3

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    1fcd5bb1b2993dab456b88287fc17dfe

    SHA1

    d159c5fffe1f2fd0bb68cde098e268c68a3afd8e

    SHA256

    66bed46e77f8632559c7502f942a25cf69fd65df04db086d482eb2c8abca67dc

    SHA512

    857675f4425c076f63bf60e0d73150dfd665161a0209b6b9c8c2493bfef6c68305780cf2cd08c76cac02890d56d0be53e0c36aefdd2c477d3f7c21122df3de9d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c2f239ce8830b9b30862466fb0704c46

    SHA1

    d71886d4975da2e72c5489bf93deb7cf4fda78c9

    SHA256

    9cf2466b216d744c1d997f73ffc15053d074867a8f31b981366bb71cc11c2749

    SHA512

    669ce633d0ae1cd8917c8b617abf2560800fdf337ccf2377da01fe56c355072d0b72ff0007e91b91d95463bdb0b450e93183ab8e05a6e9d38ef2f63f76f98471

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    68e6f521ee44700da9fd17e22e25e67f

    SHA1

    66c8ee04aa49302f6852a8e2cd2499cdd5fb2780

    SHA256

    efdca459e1eee26ea5873a9f0cd2127262c75e2ac08533ad36c9ed782cca4ad1

    SHA512

    99b1f850c2c8a7361cbe57c99b174713941b0745eba0fbcc159b8d79c947fab937a55cab70c1391b7ad3947adb7d34c5f8a185f20afa23082a3d92dc705a2627

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cb97cd9262d367eb745e2b25aa2f3695

    SHA1

    0f8367a90a5806f5c4d92349d85a708f735ee22a

    SHA256

    19220f1a336859807d6a37b43787bcf727b2d1bfa4d5ef5473eb1afae3819c0d

    SHA512

    3891709ef20eedb8a043d0f9fe5c948f7bda04abe8e881a8f0f60a0020babf95dcc5759c8a3b2df54dccecc70e5a25c6c10cfd1542eaddd0358a66302ce6ec2d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2cb4d33436cca523dd56bb8b38e32c7d

    SHA1

    0946622dfd2bdcb21812068560cddb8e7f337cb8

    SHA256

    b4fc51a87c32a502e1a8787a2dece623b1e43db0d8ba0161a919c2d1fcc32f65

    SHA512

    9136b70e8bc2cd98c3730762e95a241cfbd730c36e9b99cfffd5cfd6fad3d39d04371649fc797699108162f5b2db8de251560ceaa4fb4fe67116c64abcb0c835

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a030e2d53c9eb6ebe9f827d1ae651781

    SHA1

    8ce6f6fbca1a7f3f930e1169772871093f22e373

    SHA256

    dfc427aa0a90f2ab9f3fa2d539d5a5370700d9356782f0d9395c33518e1d9b75

    SHA512

    ef83a89df83dba389f46a6ad48d53f9c509d5471ba3eeaf3ade812cf2ff40a0fcb19a69b7b3a1767bbdd5373e02df373456411420441a793c1ebdf9714a92ce3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bc72361d2c81355eedf5089424ed88f6

    SHA1

    fec58b5e27490f6c84ad39e814d2b5b0453c062f

    SHA256

    f7526a2d9ce0261b37eed36201958dd92b2a2acd06add826e6335066311156dd

    SHA512

    15ef755532b99a015e894199185606c6d96a7cc01c6c4564d04836b09d34fcdad28f120c706e15e2af7d85ae3e2c48b3d28631d486869c928c537ed7b77815d8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    733c73c5b499f4fe4f713fd9e2aaa27c

    SHA1

    2700513cd595173d777e043c76f84ef6cfc9d737

    SHA256

    08949ba12ae620a2ea363b8516eb5877cb3797f72996492e44f398c0894b4b9a

    SHA512

    2535c22f79ff4aea708fceaf353c592a7e98170753b38071e0ea5b7a2d219b0f9456e71bb2821769c54afbd66073e7ea09f176380536d9c27748bdbd1507cdd0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    810446a9e2c7ae0bd779c9dc82fdb7fd

    SHA1

    e96dd1d2d093e81ffdfc161e657b1aba75ca4bf6

    SHA256

    c33b20f9be7a1e7391eff1f19477c93dcbb6bde177b7620c9a39ec521ebcc9ea

    SHA512

    28fcc7a943056af5eb29e5bad2a223a3c70994a1e386b10a188f9fa81af53ae4a1d59ff2bf3b86118f3020a19de34b0dd2aabaddeed9a42293b79244bdb74d77

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    62810608173aff348727bd008fe6fec6

    SHA1

    437ce7ec8c077c0155a5ecb309fe80f93b55f624

    SHA256

    86213ef97b5e307a3eb33edc4ca25139575de5036c982a4cf92f2fab797ac872

    SHA512

    11c45cf6cdc1e74d398c098bcc4198d45f187e46068ed908178ade2cd331deed06778667ee08f47905f9548acb5ca828958e87cf47304a044ad5c93c988fd9b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab2CCE.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2D8C.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\mtymfuqxbooj.exe
    Filesize

    360KB

    MD5

    d3d85f14ecf91860db6d7e8bd7d48430

    SHA1

    faf1f9843c253b06b9dfabf7a9e5d365e60094ca

    SHA256

    ee5c846448eddad058793075600dc9926997b62a3a8d56432a6c059e9b1363fc

    SHA512

    16796001fd2fe9001c5d5eb8b077907a9d2bd975de7162c78da3e688c7588532268b18b220e60674c59890a3d4e55cbbbadda08d7ded0c19025be9c2ca6b5448

    Download Submit

  • memory/1372-0-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1372-1-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1372-16-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1856-6074-0x0000000002E00000-0x0000000002E02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1856-6077-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-800-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-53-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-1220-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-1223-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-48-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-4062-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-6067-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-6068-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-6082-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-6078-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1856-6085-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-2-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-4-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-6-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-8-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-10-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-28-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-18-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-14-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2916-29-0x0000000000400000-0x0000000000871000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2948-6075-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

    Download