Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 09:52

General

  • Target

    179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe

  • Size

    338KB

  • MD5

    179a81e1174983c3e0daa57cb85d745d

  • SHA1

    656b2b7cb178f2cef1ada8dc2197587e680740af

  • SHA256

    332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58

  • SHA512

    2f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59

  • SSDEEP

    6144:X44EAEGxYSNuwZN+P0GUcjfmlqLErpeKmDXmBSs0AKUEURq7X13SvPHg:X42pYSJ+Pq8+lh/mDXy0AKUHEz1Cvvg

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lotja.txt

Ransom Note
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://kwe2342fsd.rt546sdf234re.com/A26515C3C4BCFD93 2. http://awoeinf832as.wo49i277rnw.com/A26515C3C4BCFD93 3. https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: wls3uapur3zjm5gm.onion/A26515C3C4BCFD93 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://kwe2342fsd.rt546sdf234re.com/A26515C3C4BCFD93 http://awoeinf832as.wo49i277rnw.com/A26515C3C4BCFD93 https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93 Your personal page (using TOR): wls3uapur3zjm5gm.onion/A26515C3C4BCFD93 Your personal identification number (if you open the site (or TOR 's) directly): A26515C3C4BCFD93
URLs

http://kwe2342fsd.rt546sdf234re.com/A26515C3C4BCFD93

http://awoeinf832as.wo49i277rnw.com/A26515C3C4BCFD93

https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93

http://wls3uapur3zjm5gm.onion/A26515C3C4BCFD93

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lotja.html

Ransom Note
<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <b><font class="ttl">What happened <!------sfg2gdfstw5ey3345 --> to your files?</b></font><br> <font style="font-size:13px;">All of your files were<!------sfg2gdfstw5ey3345 --> protected by a strong<!------sfg2gdfstw5ey3345 --> encryption with<!------sfg2gdfstw5ey3345 --> RSA-2048 <br> More information about the <!------sfg2gdfstw5ey3345 -->encryption RSA-2048 can be<!------sfg2gdfstw5ey3345 --> found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font> <br><b><font class="ttl">What <!------sfg2gdfstw5ey3345 --> does this mean?</b></font><br><font style="font-size:13px;"> This<!------sfg2gdfstw5ey3345 --> means that the <!------sfg2gdfstw5ey3345 --> structure and data within your files have been irrevocably <!------sfg2gdfstw5ey3345 -->changed, you will not be able to work<br> with them, read<!------sfg2gdfstw5ey3345 --> them or see them, it is the same thing <!------sfg2gdfstw5ey3345 -->as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. <br>All your <!------sdkfg3265436456hdfskjghfdg --> files were encrypted with the public key, <!------sdkfghd456334565436fskjghfdg --> which has been <!------sdkfghd45363456fskjghfdg --> transferred to <!------sdkfghdfskjghfdg -->your computer via <!------sdkfghd4356345643564356fskjghfdg -->the Internet.<br> <!------sdkfghd34563456fskjghfdg --> Decrypting of <!------sdkf45363456ghdfskjghfdg -->YOUR FILES is <!------sdkfghdfs4563456kjghfdg -->only possible <!------sdkfgh45364356dfskjghfdg -->with the help of the <!------sdkfghd4563456fskjghfdg -->private key and <!------sdkfghd43563456fskjghfdg -->decrypt program, <!------sdkfghdf43564356tyretyskjghfdg -->which is on our <!------sdkfgh34565346dfskjghfdg -->SECRET SERVER!!!. </font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br> <!------23452345dgtwertwre --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> <!------sadfs32452345gfdsgsdfgdfsafasdfasdfsadf --><b>1.<a href="http://kwe2342fsd.rt546sdf234re.com/A26515C3C4BCFD93" target="_blank">http://kwe2342fsd.rt546sdf234re.com/A26515C3C4BCFD93</a></b><br> <!------ds234523452345fgwert --><b>2.<a href="http://awoeinf832as.wo49i277rnw.com/A26515C3C4BCFD93" target="_blank">http://awoeinf832as.wo49i277rnw.com/A26515C3C4BCFD93</a></b><br> <!------wer234524353245terwtewrt --><b>3.<a href="https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93" target="_blank">https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93</a></b><br> <!------sfg2gdfstw5ey3345 --></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address bar: <font style="font-weight:bold; color:#009977;">wls3uapur3zjm5gm.onion/A26515C3C4BCFD93</font><br>4. Follow the instructions on the site.</div><br><br><b>IMPORTANT INFORMATION:</b><br><div class="tb" style="width:790px;"> Your Personal PAGES: <b><br> <a href="http://kwe2342fsd.rt546sdf234re.com/A26515C3C4BCFD93" target="_blank">http://kwe2342fsd.rt546sdf234re.com/A26515C3C4BCFD93</a> <br> <a href="http://awoeinf832as.wo49i277rnw.com/A26515C3C4BCFD93" target="_blank">http://awoeinf832as.wo49i277rnw.com/A26515C3C4BCFD93</a> <br> <a href="https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93" target="_blank"> https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93</a> </b> <br> Your Personal PAGE (using TOR): <font style="font-weight:bold; color:#009977;">wls3uapur3zjm5gm.onion/A26515C3C4BCFD93</font><br> Your personal code (if you open the site (or TOR 's) directly): <font style="font-weight:bold; color:#770000;">A26515C3C4BCFD93</font><br> </div></div></center></body></html>
URLs

https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93</a>

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (387) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Roaming\vcwmid.exe
      C:\Users\Admin\AppData\Roaming\vcwmid.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2652
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2740
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2300
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2328
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwmid.exe >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\179A81~1.EXE >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2688
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2724
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2516

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lotja.html

            Filesize

            4KB

            MD5

            852d7d4451cfdc5286a2a93946e77858

            SHA1

            db217aa1c7314fff02558b456c4657f8fe2529f2

            SHA256

            ecb048544abe6fca12acd5ac0e85ea62c90c3554a782dbbf2635fb556f2b2143

            SHA512

            05fd1aecd09340fdd093b9a6f744844ccc074a9c182741bd063fde81d210f5f0a26bf5eb76d9a50ad200989eaf0962343e1de4e7083838725d2f29ec0e193e30

          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lotja.txt

            Filesize

            2KB

            MD5

            b5fdf2d579d45f12248d4a8fdcf2a86e

            SHA1

            72c901eb8fa27c1e0d8f7ed4344ea74203bead9e

            SHA256

            5ad2df968aa1dd0dd7fb56c2e43c70d45beaa143045a5e61591cb9bfb1c923ed

            SHA512

            7a58db682938e1971358defcc80882ebd0e1fde115f718ab3b02dcc83906ce76805f2f88ef20473855f6ae781a87a6b534405d26ec47a4f7709a086543142051

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            d170394c5aa7be6304e7c6bc39849c02

            SHA1

            7c6fe3fe15d4fbf99179841706e29519a82f4f95

            SHA256

            5c0b80d2e83a41e39a8e094a5187e9dcbce46f157410504a4fd0ac8b0792031b

            SHA512

            e0ffa7c3ab95d53f036d7af2611ad79d7e05c470e99098e9b630a6c148f5d461c6a00e37df690d43ac58b4ed2b3d0c4e0916992cc2fcec8bd6124ee7035dc820

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            cddd25cc9c4a1221f1d51b9b3742819d

            SHA1

            4a0199deb90e2aaf3c9243289699e0266df7f80e

            SHA256

            194e5ed77bcf0c0312a8736936b2ead194fb014d3427ba2c8a6eb470ae65a91b

            SHA512

            aed3efaee5a4824ab31844a3a5f12c9a2fb89b8daa46bd7121fdcd6235f18c6647d1e8cd83dc8499bc2d9062994139202787063384558040359f2dcffe3e2a91

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            c751c3701b44449323663b89f0e8455b

            SHA1

            d4d91e507cea5aa5256117e83822c83b944f0509

            SHA256

            1d05b5e36977b8d4d1aeec4fef0c067cf3e2e1be6ca24cd66f3366e33510a0c5

            SHA512

            eac5799a4f7f2e698fe8159408aeb6b7ad31a6a7e5543f96cc8bcc1bd36e03c253c5d3a74f6f6ac2f1049022670eb0628cdd307086eb70db094c7abdfe7382c9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            e48af88b0965e3314895bb4dbfe44b92

            SHA1

            df734ba140afc64bb2e720e035fe97052fc534b0

            SHA256

            104c6ed27d9c661cabab98a928916451cbbdfdcfaaee15f49cd2ead457ea9e7e

            SHA512

            f1ea5e37120b1fbe1e4cc2d033473304c0ab628dd75d59528d9e6ccd5b78d718f98715484dee3bf5cdfe3c801ff970f009549fee01df52618c2e9e92e70965ea

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            da8c9b96c7965401b1bddf3333226c4f

            SHA1

            6d405f1fc978623231318857747f035d0895d34c

            SHA256

            665aa9b7a9a7c964b5d5852ff01fc8d56d7bf444ceab6679d948b298c5264b86

            SHA512

            5a888cef96e52414eb169084ecaa0d54d14f57799411dbaa8770a78b170fe23ca5bca33784f1284669077ef10cc3b50532b84c9f456665ec49af6a32195f5ebf

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            1cddcc1608e648d947efacbc115caaef

            SHA1

            87431bce0a3d7b7b592d8d705e9ffc42d1a4ec2a

            SHA256

            cb605dce95a5da619c69490d798dfaeeaa01303f81ae772b74777a2b2c4ab3a9

            SHA512

            1496e9e9347ae0794f19c3a9e2285cf7e9fa83c5681ced1763f6fbacf94a90a37c47d11744ea6909de4ed3d80a00718e580b4a74357b8b69cf8630c12d9de150

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            46edbad0f561b0053dbcd148458aec46

            SHA1

            76cd81fc19300b8a1c8e9eb4d12a4a9123b61601

            SHA256

            e87ced27f29c8e793c6e1ce3745c3b442479267df1beb0212b8eeff1fe51436c

            SHA512

            96621ade5654d873d828fb543497e232e7c9cc79a7f0033ab3950c62042ec7ac2aa6e11a35b3c715155dbf6fe7c6a3b5e1ae2dcd97b019ae3ccddad0d16e36e5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            3f07cca52929ff762bc95b2e82899296

            SHA1

            e43f9eb804b6d31f2b85cef4d2ea87d83003bdc1

            SHA256

            300b6ccd4eee50f435a728a3d8cf0845ed6f694446c55f9fc5b4c5d4bd9c915b

            SHA512

            3acdfa212fedde12686800abdcb45a6224d4d9e33cefdf90b44d7da1f412a4206ffec422fb23167db9f79df977f43a463a9b715b056c52aebf5298a5b9718d69

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            157ab78d0f1fc22b24a2024bba8a15d2

            SHA1

            634dd7aa99ffa8fc4330f252ca4eecc62fe62f9b

            SHA256

            f1a25d65353808f81b72635d1eb7e0be48a16d145f905fdfc42bc3a39578c0d0

            SHA512

            7af7e9b3433c0023e106029de02c456df496b1cc6a1041a8490c0086d285225bf3160aa28223a0a7510d38f5ab5f68236f0ea234750a311a07035cba5ab5584c

          • C:\Users\Admin\AppData\Local\Temp\Cab5083.tmp

            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          • C:\Users\Admin\AppData\Local\Temp\Tar7FC2.tmp

            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          • C:\Users\Admin\Desktop\RESTORE_FILES.BMP

            Filesize

            2.3MB

            MD5

            fca3287478e487981e201c3984386d8e

            SHA1

            c75954a0ac279a7a752e4bea41b35739793ee561

            SHA256

            6c839b4f1ceb90834cd6d1272568693b0d61c619942897c6104ed5ac4fceebb1

            SHA512

            f709e8a57b24c7550431fc4fbff8d01c085576680d16334644ff625cd73b3719f4f54481d9061b6a0e62ab9e5a6c2a8ef7eadfba6a9f43cd755bb19dc0717cb8

          • \Users\Admin\AppData\Roaming\vcwmid.exe

            Filesize

            338KB

            MD5

            179a81e1174983c3e0daa57cb85d745d

            SHA1

            656b2b7cb178f2cef1ada8dc2197587e680740af

            SHA256

            332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58

            SHA512

            2f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59

          • memory/2080-5-0x00000000002C0000-0x00000000002C4000-memory.dmp

            Filesize

            16KB

          • memory/2080-11-0x0000000000400000-0x0000000000521000-memory.dmp

            Filesize

            1.1MB

          • memory/2080-0-0x0000000000230000-0x0000000000233000-memory.dmp

            Filesize

            12KB

          • memory/2080-1-0x0000000000400000-0x0000000000521000-memory.dmp

            Filesize

            1.1MB

          • memory/2516-4242-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

          • memory/2652-4241-0x0000000003820000-0x0000000003822000-memory.dmp

            Filesize

            8KB

          • memory/2652-3507-0x0000000000400000-0x0000000000521000-memory.dmp

            Filesize

            1.1MB

          • memory/2652-17-0x0000000000240000-0x0000000000244000-memory.dmp

            Filesize

            16KB

          • memory/2652-13-0x0000000000400000-0x0000000000521000-memory.dmp

            Filesize

            1.1MB

          • memory/2652-4265-0x0000000000400000-0x0000000000521000-memory.dmp

            Filesize

            1.1MB

          • memory/2652-4871-0x0000000000400000-0x0000000000521000-memory.dmp

            Filesize

            1.1MB

          • memory/2652-4877-0x0000000000400000-0x0000000000521000-memory.dmp

            Filesize

            1.1MB