Overview

overview

10

Static

static

3

dd89fb3e83...18.exe

windows7-x64

10

dd89fb3e83...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    124s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd89fb3e83972795705e5b0edc08987f_JaffaCakes118.exe

  • Size

    332KB

  • MD5

    dd89fb3e83972795705e5b0edc08987f

  • SHA1

    e315cce36b0494947c5d7b17b62dd38b24b159a6

  • SHA256

    7b7fd96033bb7a8a932758c8f0f1729d800949c2583c03c8aa3d21089cd28a62

  • SHA512

    1d9098f5e7f291ea7d2df3ad497bd7641c5920cbac5e99544a8b7d4b492e956ab051839fabf30bb5207913e7a1df76ec274e6887e47193c866398f2951be7583

  • SSDEEP

    6144:VcMG0Cmis0NH8A3/1uz7uodnIm5KJHLqreJDckzrYk/:WMZas0NcAvAzyQnR5KJHWreJRrY

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+riqga.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8E34F9C84429E11 2. http://tes543berda73i48fsdfsd.keratadze.at/8E34F9C84429E11 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8E34F9C84429E11 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/8E34F9C84429E11 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8E34F9C84429E11 http://tes543berda73i48fsdfsd.keratadze.at/8E34F9C84429E11 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8E34F9C84429E11 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/8E34F9C84429E11
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8E34F9C84429E11

http://tes543berda73i48fsdfsd.keratadze.at/8E34F9C84429E11

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8E34F9C84429E11

http://xlowfznrg4wf7dli.ONION/8E34F9C84429E11

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (422) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd89fb3e83972795705e5b0edc08987f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dd89fb3e83972795705e5b0edc08987f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Admin\AppData\Local\Temp\dd89fb3e83972795705e5b0edc08987f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dd89fb3e83972795705e5b0edc08987f_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\tlgtwbeoxcmi.exe
        C:\Windows\tlgtwbeoxcmi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\tlgtwbeoxcmi.exe
          C:\Windows\tlgtwbeoxcmi.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2620
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2632
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1852
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2952
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TLGTWB~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:596
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DD89FB~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2704
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1940
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+riqga.html
    Filesize

    11KB

    MD5

    dff60e2f6134e68a2df675539ff6fa02

    SHA1

    84a65787587a3fe6ec92c5894292057c4a9cb8c2

    SHA256

    b3d10b02830b31bdf27e01aa4e023b4274c6b15885d382aa46f77d93f58d9f0b

    SHA512

    4c5b34c6ef7c9cea9023bae4193c0dd8c5c197a3cdf1101aad2d5e513a60ff2860a0d254c52545059a0979ea119ce3fbdbe3ebf85c5f2574a326c68594b7a4db

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+riqga.png
    Filesize

    62KB

    MD5

    82a2e1be23351b5ad3cd798eed02d3f5

    SHA1

    c76b79ae186fb1c721c48868d5817525f4f873ee

    SHA256

    38184134998893489901074c48127ed05247613267d426d3836bee7c9d6ff4b0

    SHA512

    0527767556fcc333af33fb528050dde71a89593d6203055c9c81569018176e5296a8d2b6c2639dcc2ae0dcdc9dd9a7b0f4fa83c35430e732b69e363e509d9c38

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+riqga.txt
    Filesize

    1KB

    MD5

    1deb3de08db68a5bbf03d396ccc58b16

    SHA1

    10b6605171ffea95a2a05cb4e979cf93b5a245b1

    SHA256

    87edd0dee97c23c01d9cc566fd3b63ccb8cec9ac6e08bf492ae76cdaa1a86a2a

    SHA512

    3a76244b56ab33f4d43110304646363f11c15d6bacebf73ebc9e7941240907a2535b476c52314c64f92ea3f22014eacd817152ab2916cc65e1e951ffacfa4688

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    8881cfac86e3d3e944d62f02e2b9762d

    SHA1

    98367ad9a4bc30a286fc198b7410e98bee7d5f53

    SHA256

    cd6657496d4935dcd02d6896e2fc33780390b2bda29e5f0e32813d49c23ab3a9

    SHA512

    1c2a5e81a70680739f56e91a5d0bf93aeda9e2ad15f56a3ee426850d804f08faf17df624bc46d42cfe9918d59a0a50d95031d8f3745348ea8a2bc7948d097d4c

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    9a5ad6dbe8e7b9ef2056180a28fd96f6

    SHA1

    da39f3ce037f0fb9800fb806975c5b1c2dd76f81

    SHA256

    74087768d301a579a5a0c26121e570d9c86474e12d999f9eda2258cff24eb48f

    SHA512

    68cc629bbed83f72eefcd0015c5f2f99fd7e93cec87ba07f52e13610063476a4962c2d3ee624b65358b9324b672b7d87dc74023781ee91f1c749661059775ebb

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    f5ad0411152951c883c05bd82d4b7874

    SHA1

    c4dd96d145dcaee7d7b59acdb1c6bc7b34be7daf

    SHA256

    0558e5a7332c5e7c1c5d9a6f08539537eface9509e965729cdd64fb64e77e714

    SHA512

    fd4c64cd1b1eba34fd8dbbe74d9295d61637bdde8a69d5b312fd6a438c95fabe8bade4c32763212a4ed677f1294bff71ab224fadb8a6724e14b48fe46a3ab395

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    973979c88f1407ebf68c1ab54ac6fd1c

    SHA1

    35b0a3ff4e972b160151e0e56d9eeecd7170593c

    SHA256

    aee1894efdb90bbb770be999f9961e0c32ba8bbd02c5b3d4b1dbb7455da3537e

    SHA512

    37262e452a8c1cd80091a8be551fa11e304184cbccf7a29f25f9dc5e3b22b5898fd8ebf9df919a739d48309f135bb9bbf2537f42a1cf0150917371060cce6004

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9674e0dc9092d22bb9e4e5caf2525e46

    SHA1

    2a99d915b3c12a6a67f91d3d1bd8916b5b69144a

    SHA256

    cf64c4aa0cdc25583d3ecf6c0283402b05c5a1bcc37aab30561e356675834a52

    SHA512

    5e6ebe3d74bc73b03afb208f7cd0701a7c8cff1ebbc4769d2dd2603b503728abd324037151e59433dda8c1c9f3fe61afdc027f777b1fb16754d577b96f6b1bad

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    232c0f9b7b20a6afe9e785340ad5bfce

    SHA1

    2e137da20edeedf0f34a1254775f22c43064939a

    SHA256

    6c339a4afb71107724fd22a941f37ede5109ab00e0d5f4ac6fb239b653023cb7

    SHA512

    2330da38dac9f50d5ee96a192b262fa668aa9ae0e38cae6bb7915296b03da116b4457af962929441a77969d3e5d362f90fd36d9a11452d254853f849912d03bb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6299f2386ee2ae1d78ad8cad14c347be

    SHA1

    5fc26a81092862736be5adf26ecf9de6a6c222f8

    SHA256

    bdb89493153ca4cad18b9197149248a4e85d4241498c16cc19c3446f7e4c129e

    SHA512

    430c3edcd42446730380e772bb42e5aa68adb9fb39321a14113817548511192a986b44fe53fef7fdc44b80a72c9b1e489ee60ebcdb6049e081a222ef7376d8cb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8d090ab82e97d042b5a59ab677b00805

    SHA1

    10be91cf455843cea8263188ac57e170fbf3f6d5

    SHA256

    ab0c6b24486017f2cfea1bccc9efa4b0de411cdbd9c37faa105e6d2b00342c77

    SHA512

    89b46a094de899a95cd9069652a6baf55c16dbdd950726ed2defa2a3980896cf6f9c2138654a4ba8977cbca2317b5ef5983ad387014e4f400b07e108d0480a3c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b3554e72bd4fff064b9cc174b5dddcf7

    SHA1

    5a4382aaa19dd8bea2bf9896325f3ed9890434e1

    SHA256

    7a896a3d7e53eafe91e66814416d5c243f8c54cbd8bea55477ccfd86442ecc47

    SHA512

    e5785683c4df8c7994d32d08cba00bc58982b4924eb1e786448358857d9c26fe535a40ef63a9286f32b3e6588b49717add7cd8bab8b2380ba776ae0401e5e63d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    77378db4e1d7e62b15abc8d7f4e82a33

    SHA1

    7762d562cfbb7f09b5b9ddc55c6f281a2109520e

    SHA256

    0be7f5011bd2fe092e20bf28273722535dc4087660afdb90acb4cdd9be00a275

    SHA512

    4fa110414913ff3fbaa5d0b5174f63e0fff1b5453adc067e2e40124631fb506e1a73676e6923154fc600f0b5339502c1d8e29ccf0b9311b5eac254dabcc88c41

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5ef73265c97eb1ef66ec4fcf5b38c70e

    SHA1

    a2012b95ec73c2ffb8c52c9022ed75b2b7317f4e

    SHA256

    f9bbfbff975e6748e8be2f1a566ebb2623f2ff34fa51469b851929551fc7e4b4

    SHA512

    7a37f2053feb06a704b54c1586fddf396332a965399e9413b6b6f549d77a61af52b1e17b9dfb6c2f522acd59bee8f53a0ec52b1537e2df56a145e5d35d4912e4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    28435a8cd02412b7fe9501890076bb65

    SHA1

    68d31ef98781ce85cf2a7ce533875c7b81c67b27

    SHA256

    ad50cdfa51170d1d4f03bb8bff35d109faee21b0fc0d00ac50cae6d06026381b

    SHA512

    db12ffc8de73ddc638c3514f3413ca7246dbb031c6566719fdcabe454cc26b585838c97f3cc5932fb23b8259409b61b6c743e079de48f13dae9892aafc8fefef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab564D.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar570C.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\tlgtwbeoxcmi.exe
    Filesize

    332KB

    MD5

    dd89fb3e83972795705e5b0edc08987f

    SHA1

    e315cce36b0494947c5d7b17b62dd38b24b159a6

    SHA256

    7b7fd96033bb7a8a932758c8f0f1729d800949c2583c03c8aa3d21089cd28a62

    SHA512

    1d9098f5e7f291ea7d2df3ad497bd7641c5920cbac5e99544a8b7d4b492e956ab051839fabf30bb5207913e7a1df76ec274e6887e47193c866398f2951be7583

    Download Submit

  • memory/2108-6109-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2416-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2416-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2416-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2416-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2416-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2416-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2416-26-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2416-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2416-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2460-0-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2460-15-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2620-949-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-6112-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-6111-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-6116-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-6119-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-6108-0x00000000030A0000-0x00000000030A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2620-6101-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-4149-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-1306-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-1305-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-48-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2620-44-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2772-25-0x0000000000400000-0x000000000063F000-memory.dmp

    Filesize

    2.2MB

    Download