Overview

overview

10

Static

static

3

3aa3ee4e65...fN.exe

windows7-x64

10

3aa3ee4e65...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe

  • Size

    371KB

  • MD5

    76b0182e3dc2f368facd1446a78d2ae0

  • SHA1

    6e6f6df8ef1a845e335995fbfa48dab3526cea29

  • SHA256

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

  • SHA512

    e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+shrrh.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/7B7913DDD0F0C7FE 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7B7913DDD0F0C7FE 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7B7913DDD0F0C7FE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/7B7913DDD0F0C7FE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/7B7913DDD0F0C7FE http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7B7913DDD0F0C7FE http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7B7913DDD0F0C7FE *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/7B7913DDD0F0C7FE
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/7B7913DDD0F0C7FE

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7B7913DDD0F0C7FE

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7B7913DDD0F0C7FE

http://xlowfznrg4wf7dli.ONION/7B7913DDD0F0C7FE

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (422) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
    "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
      "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\wgjnycnuutgp.exe
        C:\Windows\wgjnycnuutgp.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\wgjnycnuutgp.exe
          C:\Windows\wgjnycnuutgp.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2276
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:1484
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:956
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:536
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WGJNYC~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:616
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1632
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+shrrh.html
    Filesize

    9KB

    MD5

    fc3416eba3bf23ab51a5dccdc4abd1cd

    SHA1

    229dea59dd1746730e1131283bd3036da67e5905

    SHA256

    ffaf37f61af349ecbf5f8c93ae74254b79b1c36d44ddbf2cc8d95b09d890548e

    SHA512

    59f2b5e051ef1dc1f2e2b66e07bf1152bb7d06de9df0fb684b613f2edca18c5fc9948e1c1abb8927b4bc1223f437ed6b0822b5eafcd4f9cf9627fa3851d5a0d4

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+shrrh.png
    Filesize

    63KB

    MD5

    7aab94f53c5be3efbc2b6e3e27117a68

    SHA1

    ec38ca788a7b322c367927ad18b949f54677ec69

    SHA256

    112ac0beef70e506a9c69788864813dcc6e479629fd653d378ff8e4c669ef7c0

    SHA512

    9dfdbe490e1a6012ed079af674d87f31decb593b1d3fdef0eecd0bdfe1e268fece447a046063d3bfc279c609475128f405e990d64d9aa377952a178ef25b3b25

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+shrrh.txt
    Filesize

    1KB

    MD5

    7f2c56995ff10b4f3317680c880b930e

    SHA1

    6647699c9a732aaf770d6e640ceecc7ffd34dd5d

    SHA256

    996836d328c4abf7dae494b02579d1d1e5c5d56ec746609bbbdf5911d7655de8

    SHA512

    24e9401e1ad0280b7f4a57b84ef3cfe8d18f567850ac429c627d25399747230bf86ea2bbc16b5c78f5841b5878c966a91a90ab4dcd0cbec352b453de82b83b6c

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    ef50255055ed6afbed7a4d0120d1d885

    SHA1

    7389a75febaa0d83f93aee7215e1e7faf52129a9

    SHA256

    48560b704f3725a5cbfa11f9fb2e6897ca957fd27ba55d1b088925aa7926a73e

    SHA512

    30f8ae1fd3232751ab7c47f048cbd8a7f6e3af9963f67a1dae59c7d76d8cbfd335d06522b48fcaceaa92d60b3655da0ac4723c3b91b965797b5a7c3262130f2f

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    7a4bd5dd001ad409d464873591edbd17

    SHA1

    ca910fb7423c274303b5dc506497152143e68d5f

    SHA256

    1cac68520ed7c7d3dc0f3343da8faa5d0c2ce6ffaa5ebf0682a46af725f2c4c8

    SHA512

    959996e8081a4a0a04a38e78008a05128dd422b22383ebe002e2d527c606dda897034b3222491ac7706ac720a2a211a99184057b5ba7480a22ad9f11a1b8929e

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    652781700b03331951a88317bfb0933c

    SHA1

    a56950d61a1109873a78d411f8b49de8918908f3

    SHA256

    e48b10458b88b31aeba3e26c38e88644f61d3b86bb4cb522b7ef90cae0a57d56

    SHA512

    21e6eba70d72766f7032b850dd9e2768b22a2cb7e196b184a74550637519d6c024fc956925dab511a2ff7b9d394fd59db26d9ed1155440363774dc64ebb665f4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    05e126aebdd964e45ef220f8c4626017

    SHA1

    745f027d3be7923c9d59943f7696eb327be57dcf

    SHA256

    56a7f6abcd6edfa6fbe5442ef5a6942dda877c56073ffe52fd06c961a5c46dbf

    SHA512

    8c4cbe59ed39e6ff73a1527464ce7610ee9619e71acc9b081aacf2145a500e1d12121d8afbf42a359b96841225e5d78dbd3296ccd605b26d1e8048ee80db5d2c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1bc7b134655d972e542165e7dec2b9dd

    SHA1

    c5d1e12d7d25f06dc246683cd0331c7bb0caf953

    SHA256

    d85948c3c31571bfa2cf1dd40948090ce5fdbf522ba2169b402c045e928e10ee

    SHA512

    362cfe29987b87b28041c70053e031df1239494b12ed11b123f09848523bc6758599fae0d214ee9c8754435b69223c788df52a097bf4af1146edf264c9bdbf49

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5231c3d59104d9c23f9d0acf92468f70

    SHA1

    2c760b90a730af759c0f83299b73a0767eaffad4

    SHA256

    f6e37e8d7654a8b017a02b42bc3440692d99010c6d86827cf6166ff3b665ec91

    SHA512

    49065c483fb80f4e9d00d4aa0ef41ae6288fe0ea29095472cab26ee15942c50dec6ec0ad57b9967ddda57652f46d93e414ffe429383773ea1a61f80df000d04a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8a970ad04a73f6916db834c31d3f7f0c

    SHA1

    e701b64785b176b0bedbdede268367cd0ddfb47f

    SHA256

    388dfebd113ee0529fbd7345f4e3490ec2be41a33d19d1839a356732fa6961c4

    SHA512

    572bb0d3f19f8b2bce6bdb1d2ab1035a261c3b3e05af2d948cf0c95c60107ec6a517cdf40d26432cd61bc0fdcb0af97ef99ef57ea3e4f92518f7856ef93d991d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dd2cea2668bdeb61f8ae8cd96537dc7f

    SHA1

    fd68ac5aea0fa3646b37b3d5e28d4fd56f110722

    SHA256

    4ceed33a55045106d45308775c3ffa2a6da5b854b676b3dc652dcaeee48e27a8

    SHA512

    563fd3c412a87c2aa6f6467ccdbc8b8967c601d2a59385bdfa5af7270b0f76701b9b59dc226f6708819f150a8ecc3b9d9030e2e8b545dcad0bcb932b0694ee49

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a25a0319b5782902110b9de50f4fcd11

    SHA1

    51e7edfff95ad2805767015dd15306871daca7fc

    SHA256

    4271176142bcfaf2acf534d42e34108a2a1c1525bce92e837fe6fb08de7dba1e

    SHA512

    291db2edc36d2816153580b816edd7c11000c5b9b5e27d3208b1e6002ef46989392325c4cb1d6bbb9159fb5b9cbb1afadd3d9f533e69692f359c2fa7a20cacd0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5083eaa2045269be429dab900dbc4e7b

    SHA1

    f68f2ddd8fac774610a955e211361fa523e118f9

    SHA256

    38b1fa31a783f39adc995a990aadd5afbfbdde536088fe177edae2ccc2cc89e3

    SHA512

    94cb8f960b9c7b41098a11f3d607a088b6c70d210fe83173b5d29f8794485f9e721a847e7d02f3e57c8deb2dd868e3a3e0520d1b8b02ca8e68d4fdc8cb254705

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    373a8486ead6e7a54a214f2a2157e243

    SHA1

    65898e543cff9a103a58ba58e3ba6bcd38a8acc0

    SHA256

    be40e86a5d9b290fae25076118970a6048bf073319befb15188c748b6893eb10

    SHA512

    231e1c0085b9f78e280539e4a0ba4efd014d8648542dec571001f570aca7178f3b9b5de1afc7ab259c3d303846c5609ee4b6705a829d55a893ab6da0fbdc5a69

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e6b76154ea06500062379515890d1053

    SHA1

    533b60e555f49a023d00cb0e720540353c9f2ab9

    SHA256

    5498cb4b173d9db037c138ecbe9497ad92dfadbb14d9c1672342297bd5ac2b20

    SHA512

    d7356d6238e9f7b971b2541122f91090712ab4273fe9bcf6cbbc62cb30eba6eba761ac08ba7dd514b4514c4dd8bcb9cdfe7fb5819f462ee5d92709da23b26750

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3AA.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar41C.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\wgjnycnuutgp.exe
    Filesize

    371KB

    MD5

    76b0182e3dc2f368facd1446a78d2ae0

    SHA1

    6e6f6df8ef1a845e335995fbfa48dab3526cea29

    SHA256

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

    SHA512

    e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

    Download Submit

  • memory/316-6108-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2184-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2184-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2184-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2184-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2184-15-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2184-26-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2184-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2184-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2184-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2184-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-6110-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-1812-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-6101-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-6111-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-6119-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-6116-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-48-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-5081-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-6107-0x0000000002C40000-0x0000000002C42000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2276-1811-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-1190-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2276-44-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2380-16-0x0000000000320000-0x0000000000323000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2380-0-0x0000000000320000-0x0000000000323000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2704-25-0x0000000000400000-0x000000000056E000-memory.dmp

    Filesize

    1.4MB

    Download