Overview

overview

10

Static

static

3

fb25ae4ad3...18.exe

windows7-x64

10

fb25ae4ad3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe

  • Size

    348KB

  • MD5

    fb25ae4ad306c725f65805a5860afbc2

  • SHA1

    95f37a9897a9e87ebeac02af07dad74e065f5402

  • SHA256

    ff643671b6b76520a3a2478674914bd64ff41c7de9021e77bdeeb78df2b4a807

  • SHA512

    8f2e1467d576be29937bd58586b8e1678b68f17b51579610fc4d51aca8d80ae1491f3704a9f7459165197fec2b61b68a919e11477560aa9665fc4ac461d29eb7

  • SSDEEP

    6144:9TXaPzWvU+vHkRBo1lY9djE7aQCzY6/4d2GOuSkvHCJ0nJFIARNeb9BDGkWi:6TAY9G7ao6MnOuSl6wNb9tGkn

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+pnvlc.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/498F10E2EBCBAB79 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/498F10E2EBCBAB79 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/498F10E2EBCBAB79 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/498F10E2EBCBAB79 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/498F10E2EBCBAB79 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/498F10E2EBCBAB79 http://yyre45dbvn2nhbefbmh.begumvelic.at/498F10E2EBCBAB79 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/498F10E2EBCBAB79
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/498F10E2EBCBAB79

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/498F10E2EBCBAB79

http://yyre45dbvn2nhbefbmh.begumvelic.at/498F10E2EBCBAB79

http://xlowfznrg4wf7dli.ONION/498F10E2EBCBAB79

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (422) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\gfnlkxsrkuqd.exe
        C:\Windows\gfnlkxsrkuqd.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\gfnlkxsrkuqd.exe
          C:\Windows\gfnlkxsrkuqd.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2492
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2112
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2708
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2928
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2672
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1296
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GFNLKX~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2224
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\FB25AE~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2840
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2912
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+pnvlc.html
    Filesize

    12KB

    MD5

    e74bed4c7738ecd8c91c2fb8033fa766

    SHA1

    216b2fd2cce950fe2169220e3b35988c867a70cd

    SHA256

    42d378ee045da9c4d2ff1b1db48488e29ec4f87dc1fd0183b213801c13613d38

    SHA512

    e90befcf4b80b0e487a9a3e387a727f54e8162307f9b4287301b413880dcf317d8970115634265eafd47623d73565d822d173c934d7bf356ef2ba86e2b3b46f7

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+pnvlc.png
    Filesize

    65KB

    MD5

    a70873de3e11b005545afc774c545f4c

    SHA1

    4d1466fbe6b296446d6655bce7d6db9ba6777813

    SHA256

    5ec7d851c4a6c46c09ce91d6cb32e18fe38e220acbcd03ec14e1e91e31bc7c37

    SHA512

    19dacee6a454e1cee86fe8577ee1d1362fa4bd5ab688713c0fed5085ea40053049a8f2598fd7488282b0127eac1affb05f61473fb99539fd8907b8fcdeefa614

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+pnvlc.txt
    Filesize

    1KB

    MD5

    285a376a7db69bec5c30d9c8aafce070

    SHA1

    6d75001ecb87f3ce6efaa128e7f1fdc77ef1f519

    SHA256

    00712ca2e5bb46457183a584323cd776ddb36f0566fed1532d592d9bd29ae504

    SHA512

    4f4292589e2deeb7eaf86feff782553a7c34b610d895fe057d1a0819d73f04882ee8fa258e1ec1972336c9b82db4867cb50c0086d95846cdaafde065d08a752f

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    6a53fcb3831db22170f83e9e2570ac84

    SHA1

    c1ebc912d6f97a20c90de802ac76ef15a9ebcfed

    SHA256

    d978b668b82520ad75ff82b94972474d73d20dbd100789079b12fa93a2af110c

    SHA512

    54cf6b5c9b2380d8a8a31dfef8436c28c475381a7492d575b34400d39986a8b1d008fed34442c8a5aecb93d40be1ae00e2ab954be19bf13678c33ba7c60de75f

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    858d98396ea67156863c2cce299e781b

    SHA1

    f5e25cad5846fc3eb195075bdf5ac7de1d6316fa

    SHA256

    c42b450ecf36ab8e78e134063b5f596d99e2cfc43e15bc8ec079fbf9dc271e11

    SHA512

    5a1fba41f06179a99932021f22deedc7397e5c974187a8e1b417c14fba9a5bea8c9efc569c64bdace09aaa7cd1d852cf9fc9041c04581b837bb19139e3f2e344

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    05402a4056ec43ac38b55854b11fd897

    SHA1

    1b391ad34b0652f37baff5487b0aa1735419d7b2

    SHA256

    e35fc98bafb905538a5107c5063892a1ad56c9216b9ffa1dc70f8b22eb9fb773

    SHA512

    12baa2843f63932e67746ef72e7fab3635f64b296cfb8a2ee7734570c14669eed17783bfa3f2a6d343643cd23c68bed8939f855d8784152f3c4f2996fb6cb52d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    87453a74c13db3b72f7c8803faad6a01

    SHA1

    48fb47925124ca7fa7a20dc7d125cf9e8f14399e

    SHA256

    72bf27a031afb7414d6a540f2fa98f9c8961928337109257a57972a44ff768ed

    SHA512

    8a37f7df29c7dd3c309191545571546e0f53b3947f45b8ce787e6131e93bc3005752b51b3765b42d7c79dcb3b5557961eeb9b85abd198a542f1cd136d633b100

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9336b824cdee7c7667abb45901a0dd4f

    SHA1

    db2ab5c03c4e4aef75fdd6d5ac995202bdb8cd14

    SHA256

    580210ead6ec047aee9bfca9c16d2562f64d85397aae090a1112c26b7806516c

    SHA512

    fd235eef4b7046f7332552dab7279c3c3cba31ec2f2db4efeb90ba03cdbe739fe09c6b2ff043fafa54bb74a31ac016ba074aca822ab3f0cf63757983182ce80e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9a5199af1ce5e93f7ff7404824a988b7

    SHA1

    b8a3e4a81a7dcbd7428192c638d978cf07369b79

    SHA256

    ad0565c5893196fcc46b56d0a13eea53c34286aeafadf64579b00aa48d647794

    SHA512

    b6311a989c0a77bc36859fd2fb58e382c5d5c69f8f33053143e74749164e4d86ed295c548f34c9e049a659cfed76ed94cdf41b71d360ce36592fe4bb3279e0c4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a0883e9c212aadaa8b218f63f87d0a24

    SHA1

    926e40aba77ba65f3f029049dbd4bf08290d4565

    SHA256

    bb12cdfbe2983e8bd4f2b874fa194e0bda5bd75852b072a1b01a31b87ab0ee17

    SHA512

    986a2ee861ea64826f757160359eaac48c7187dc95b7f476eb5d7e5fc32b45c7741a9f08dc6b0fe5ae3ea6dfa020dde7fb55d9a52a5a89495f50ff50636eb3f6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9b47542b3fdbd175aa832f3dce667975

    SHA1

    4fae342c846720078f24b27cf45e7504a6429e0c

    SHA256

    49587d687fa78be99f0a6668c1e83451bb9d00e374fd8ea7083cfabd57eebbf1

    SHA512

    e69c530a7f8a8c92a34092135747b7b56b59b345174dec37e5a0df01a5de09533abdce1cb2bbc90e4a6594554f75a17cb88ce98b435086ca5948b125bfdea854

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    787845cda271a0e22a2bf464c161aac1

    SHA1

    9514f1653ee03bb484eef6ecd9f6fe05540daa0d

    SHA256

    85b10fb3074e6b1b89fcc17e7a3488307114036c9cb5dc7da747898bc24f842e

    SHA512

    46f0c90222996383e613b762d403d32bb25e49544eb44490d639b2864e9a4486f4e24b0aa4bdede3ed1ec592e41389c5617bc19686abb56df7765f303504d4e3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    63e002cea6de82cf9dc8980109f50db7

    SHA1

    2be5f10cb1aeeba913baeb909937352c3f490ac5

    SHA256

    a75ad375062a260d3193b8b1daeefdb9ca74cb52da4b7dc4aac3e0a5f24c3074

    SHA512

    4ec94b61e596e2ef1b5a412c74a6d6775951197a057f2c227b1a58ae205ddce2aaf70f4100d5e083f8db6f719757f1f9a95fb32c0137e533115f10e3d2c09fc3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f21f0e371570768fb05e7994ea08265f

    SHA1

    ba43defa9c6f2c2c5c155bb40c1572647288e290

    SHA256

    7d97154c05094e8773173690cdc3e73bebaa536005bb172b94670577fc9723d2

    SHA512

    c65dc61862dda0efea79e3bc0ad87be96880a592bbb9c936035bf7c4d03b755780098743bb05791039510bef7d25d519e838636a83dc71325710180fc04a21a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF8C.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarFFE.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\gfnlkxsrkuqd.exe
    Filesize

    348KB

    MD5

    fb25ae4ad306c725f65805a5860afbc2

    SHA1

    95f37a9897a9e87ebeac02af07dad74e065f5402

    SHA256

    ff643671b6b76520a3a2478674914bd64ff41c7de9021e77bdeeb78df2b4a807

    SHA512

    8f2e1467d576be29937bd58586b8e1678b68f17b51579610fc4d51aca8d80ae1491f3704a9f7459165197fec2b61b68a919e11477560aa9665fc4ac461d29eb7

    Download Submit

  • memory/2332-6114-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2488-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-11-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-28-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2488-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-6118-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-49-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-6107-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-1832-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-6122-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-4603-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-818-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-6117-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-53-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-1835-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2492-6113-0x0000000002C30000-0x0000000002C32000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2532-1-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2532-0-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2532-17-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3012-30-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download