wannacry | 6aaf7f2665f77ae5b9ab560abcab5fdeb95bbfabba1922daa9509547dec78931

Resubmissions

28-01-2025 02:32

250128-c1nlpstrbw 10

25-01-2025 23:18

250125-3ase3stmgw 10

Analysis

max time kernel
50s
max time network
52s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-01-2025 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe
Size

5.0MB
MD5

cafff9fcf64d3db867bf6c0bb6917e5e
SHA1

327e9782b0bf99fa6060f3a971c97c1a7c41dece
SHA256

6aaf7f2665f77ae5b9ab560abcab5fdeb95bbfabba1922daa9509547dec78931
SHA512

46f5fbcd316eae7129f6650887eb6d38866f7616b6ecc96b4ba379a83ef75b8bda60cf74ebf0a7ee431d021d9ab9303e5c71e0f915d62c5bb828031c1e8c42b3
SSDEEP

49152:XnAQqMSPbcBVQej/1Wx+TSqTdXHVKzT6SAARdh:XDqPoBhz1WxcSUjKzT6SAEdh

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (578) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
1704	tasksche.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038f4840d2d71db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e66040d2d71db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048b4050e2d71db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fda1f20d2d71db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a360cd0c2d71db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d77bad0d2d71db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b03f50d2d71db01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049038f0d2d71db01	SearchProtocolHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3452	2260	SearchIndexer.exe	82
PID 2260 wrote to memory of 3452	2260	SearchIndexer.exe	82
PID 2260 wrote to memory of 4560	2260	SearchIndexer.exe	84
PID 2260 wrote to memory of 4560	2260	SearchIndexer.exe	84
PID 2260 wrote to memory of 2276	2260	SearchIndexer.exe	85
PID 2260 wrote to memory of 2276	2260	SearchIndexer.exe	85

C:\Users\Admin\AppData\Local\Temp\2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4304
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:1704

C:\Users\Admin\AppData\Local\Temp\2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-25_cafff9fcf64d3db867bf6c0bb6917e5e_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2532

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3452
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2792 2780 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  - Modifies data under HKEY_USERS
  PID:4560
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2784 2756 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a56fed8a8a3fed1c79209334f1c2e67b

SHA1
0d81e451ba2486307d258354f681b008d93a60af

SHA256
641a44c7a3b811376afef0489492bc3bb5f333dd70b767b9d28dd31e44b17e57

SHA512
509ddfb636beb5a2d27b7e87e5be4b9a9fe09c691627516ea54d3e79d5a1cc23d429c5553c51984941a0e744f41e1937b2215c136664ab12438c9f01f626eecb

Download Submit
memory/2260-3-0x000002529CF50000-0x000002529CF60000-memory.dmp

Filesize
64KB

Download
memory/2260-19-0x000002529D180000-0x000002529D190000-memory.dmp

Filesize
64KB

Download
memory/2260-35-0x00000252A1740000-0x00000252A1748000-memory.dmp

Filesize
32KB

Download
memory/4560-39-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-40-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-41-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-42-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-44-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-43-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-45-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-48-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-50-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-49-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-52-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-54-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-53-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-51-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-47-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-46-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-55-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-56-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-57-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-58-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-60-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-59-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-61-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-64-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-67-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-66-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-69-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-68-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-65-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-63-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download
memory/4560-62-0x000001966FF10000-0x000001966FF20000-memory.dmp

Filesize
64KB

Download