Overview

overview

10

Static

static

3

e42b2d9d30...18.exe

windows7-x64

10

e42b2d9d30...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e42b2d9d303b72ec6689ae2b96f16236_JaffaCakes118.exe

  • Size

    340KB

  • MD5

    e42b2d9d303b72ec6689ae2b96f16236

  • SHA1

    cb8bf99248ade830b4a5dcc23a813c91bc698c6e

  • SHA256

    335db66a2abb1f82bd92f5b6cd74722b9d5cf209beac6dcb2eefde17603d6a99

  • SHA512

    200dfb19eb35841773837dfa94345c35f6108ed23f952d34b930c20d89b65119ce18725aa33b9e306169794c5782c7cb763826188e6b379fbcfe0a0d552ba762

  • SSDEEP

    6144:aog0kgLyJrIA0UTTng6+bq34dxSM7Zg8EU07L7m9JYie:XfLyLnDIwonZg8EPy9JYT

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nosdf.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E4F5662178FC3C2 2. http://tes543berda73i48fsdfsd.keratadze.at/E4F5662178FC3C2 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4F5662178FC3C2 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E4F5662178FC3C2 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E4F5662178FC3C2 http://tes543berda73i48fsdfsd.keratadze.at/E4F5662178FC3C2 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4F5662178FC3C2 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E4F5662178FC3C2
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E4F5662178FC3C2

http://tes543berda73i48fsdfsd.keratadze.at/E4F5662178FC3C2

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4F5662178FC3C2

http://xlowfznrg4wf7dli.ONION/E4F5662178FC3C2

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (420) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e42b2d9d303b72ec6689ae2b96f16236_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e42b2d9d303b72ec6689ae2b96f16236_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\e42b2d9d303b72ec6689ae2b96f16236_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e42b2d9d303b72ec6689ae2b96f16236_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\uyiyijkdctmg.exe
        C:\Windows\uyiyijkdctmg.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\uyiyijkdctmg.exe
          C:\Windows\uyiyijkdctmg.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2540
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2596
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2416
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2532
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UYIYIJ~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E42B2D~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2764
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1768
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nosdf.html
    Filesize

    11KB

    MD5

    4fc1105a67ba6268d3520b8a11a7ecd8

    SHA1

    d560221cf4db95d2d9c557be3f51eb253fcb2ad6

    SHA256

    b88dacad65448f9b3b4990b71e6a59e7afe5c4038fb0d1e5936776989af8369a

    SHA512

    92bb3fad6265c6e8106f7dd3e697b0c2c6ec289eab2e36d9a7ba5c1955492903a298ebd754e3b49a0dd399a66437acdd055aa91d0b23d9e78d709662faabcef6

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nosdf.png
    Filesize

    62KB

    MD5

    c8935a8d29cb52205131c08de190335a

    SHA1

    b61282e995378bd8464dcff9f5451aa4ea782dfa

    SHA256

    c13be4511218d8559ee4a99b4bb63605ebeaa542260316b7e4ce5399e17497fe

    SHA512

    96f80e6b10e546ad13e5533ab8631a63d2dbf9cf267d8e740f523fb40a742f5b80c341d9fe137c3944ad9cd446c9235e88d0c0ea5f6af3236643b6423258a909

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nosdf.txt
    Filesize

    1KB

    MD5

    3beefde7430287fdd60b15795a06c538

    SHA1

    9998eb694a3afca26d507107048c5a28f99e209c

    SHA256

    8035e14c107aabdaf9eba1854e9d4c3809542ae88e3891ac83ae06e5e1f9ab6f

    SHA512

    407527e2858344d46858800e3ec460f4525f638247de8770b1c79759706f2f78a33edab639e563542424eceb4d85b8918b161da2b5dd2378bb002974286737b6

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    27042441868a9f8f95583c0263beea2c

    SHA1

    0480b0d471b4025e347529c07152ea92939d2636

    SHA256

    93b6c675a5cc76f1bc5ae6320fc0cc6a749fe101d0b5bf4f251009bf002002d1

    SHA512

    e3f6af6a1f1fb8b4c1b751822aeafe371030e4d2db2e4bc675b79143be317a532867c74dd40d694f802071a9eec77e17544046bef7dde754477f99a06b0fd72e

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    7d72ed74af53bf2587af0e14a715d69e

    SHA1

    28ef9b01775893ee52795773b7c15644e1947f66

    SHA256

    e6794ca9a6e3c47e6c5f406b7a3e750f77b3b936db2dd2702091e89ee13c8d16

    SHA512

    fa8b12516f357aed4705e67ab2c3c9cdd9f1692140f7edc9aab0ae576f615c0ffc4bf4d1941074a6f1f12b8233beeeb24c73e9d8f94fead9b59d295d10020f33

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    54cbf118a3628440a90b65b1633c4530

    SHA1

    64b0360cfb06a5409a87d268262df24934373114

    SHA256

    49da427a6f4f5a960c4967ef5bc195888bd9f9a143403722efc704a7015f8935

    SHA512

    ce349462d0cbeee843b6317ce8226884f98659b9bbd2570769038239644c8632b380fe140d5f3fcde58247e2e5ffcae45559d9ca6b56395f7e379b4bf539a37d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    545bd1952607a4f79c33c17e113b59ed

    SHA1

    e3f76633001be8c6819dbddfa8f78fa9faac243d

    SHA256

    3f1a59a252b5e748f388960c9540add418194337faea5a10c029d100482a35cf

    SHA512

    4875207afd09a5a7dcdd0424ab652b23802ad4fab3d6cefaac17443c0a84391c73a84d79c13a15570d9df99923fce1135ac6ce163d0011f97b66e9249a86f89d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    221b9dd70b5d22bb636e27804f3943f4

    SHA1

    096fecb23e66e044f7fa239e31ee4c1842c38132

    SHA256

    7b1d5a2ee0f67702a6558038161136bd972b6826b4fd0fec97a93f05d437851e

    SHA512

    9e3dda863215e4597a1cf66dc8eef587cf8a8e4bcf8b0e5e5920559989e1f312f140533f8c4817e1bfa0448652616d3ab5ccc512d5419a3fce86862d81a63a75

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    68d5375cdeea9e47f450049aa11d913c

    SHA1

    be010dde74ecaf491ee2befbdfb90d0b2b34a489

    SHA256

    6fc20f4b652426fa65adf456782e8343eb74f1e13ad4572abeaaa2b3f097ee1e

    SHA512

    486cf3d7fc477fc0353ba39254fe50f968f9d45a61af4f9567810f8b0822e07f468f1e456e0df750e5b0420f28021ef815cce2985489c659515bcb68aafc884f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1663873da741ffe30d97768e71029e26

    SHA1

    e780b11be364b8dfce343654c2c92930d65f2af9

    SHA256

    840651181a8cd7d00a848589c61746b0689881955269680af5dcc40ed3ae4d4d

    SHA512

    1b0671cc11291df13781574c131e0c4feba308eb83397a3c6be997b5f243b4c9fd2c951870b89b0181dc0b4ba872d1398e2f015ad48f175d995beb4350d408f8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b5e151ad847b394ccd4f4ce230db94cd

    SHA1

    5993aa0c68da50bdcf8f23d5a172447704511957

    SHA256

    3c985dcf4b9733ab957cd0f28edbe111f50662e1cbad481b665f8ddc5c00df17

    SHA512

    2cfa1f27c1b54b815d1299b08ca51c5bd1f6ecaf1e2cf1e2edad7a287e21701d00e5c29143533d71fab90befc89c8e2f85b356796cd5f5df7c5154c4dc2a0673

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cc18e8322cee2d4735d0ddbac5a7c287

    SHA1

    903462fbab6ff4048da95c255500299b5c2a2490

    SHA256

    1132cc3deda3003510330b7cd920481befbbd8fc3c81c455d9d1066e539c3593

    SHA512

    40c247d500d204c51ce7665334ef04bd5e04331193d8d74ec7d3e314135b4240921e471ddb4faf8d4dfdb78da77b5d3db5ef4608122c9cdf87d492e91682f440

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    84f7e135ac45f9dc13a49e950c66880a

    SHA1

    b367d4bb9b96644a7457ad0ab8dfcc40e2f3df8f

    SHA256

    b271476a7fb1b62e8df79e0d2fdcef10ffbb7cb453d3525ff7c49d4a9af30afe

    SHA512

    4eb69b2dd1835dec1ff5059ce06537221578a1eda9b19912060682cc2a97eb29418fd0d1f938c91b5f50a5cb243a4e2dc6d7ace6fea25f08bdfb8d502226c6db

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8eb59013503aefa79a6fbb9092deaf3b

    SHA1

    86aa672c1c01547dff1000ee0d6e9860dbc910e8

    SHA256

    75769481b800c0628b73217f1d7d892035d23a3c29393b0c853cfa809b277a8e

    SHA512

    be04a56ad71a41c1888813a451ba1961d5a131ecd0b16f722d624bdb0c7cdffc7bafcee8044fc6610b4376226c2b0652b8e10a3a0b2ffe867b3aebe98615f908

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF4CB.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF53E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\uyiyijkdctmg.exe
    Filesize

    340KB

    MD5

    e42b2d9d303b72ec6689ae2b96f16236

    SHA1

    cb8bf99248ade830b4a5dcc23a813c91bc698c6e

    SHA256

    335db66a2abb1f82bd92f5b6cd74722b9d5cf209beac6dcb2eefde17603d6a99

    SHA512

    200dfb19eb35841773837dfa94345c35f6108ed23f952d34b930c20d89b65119ce18725aa33b9e306169794c5782c7cb763826188e6b379fbcfe0a0d552ba762

    Download Submit

  • memory/1292-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1292-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1292-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1292-15-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1292-14-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1292-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1292-27-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1292-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1292-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1292-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2068-6084-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2440-0-0x0000000000370000-0x0000000000373000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2440-16-0x0000000000370000-0x0000000000373000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2540-1838-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-6088-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-5345-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-49-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-6091-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-6077-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-6094-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-1839-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-1249-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-6087-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2540-6083-0x0000000003100000-0x0000000003102000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2624-28-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

    Download