Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 05:05

General

  • Target

    2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe

  • Size

    364KB

  • MD5

    2b5c64d0ae335be2b30de30ed5cf9b71

  • SHA1

    57a809107f1810a3ed01d4baf09f89a1fb562757

  • SHA256

    33e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b

  • SHA512

    96ebf2562a60ef245aea06decf83298979368e4c4dabaa107068e430d7fe86af5f996cfffba95e7f1c5ef411e7d1265d24a84716be63eaedfd48ad3aac4dc4e8

  • SSDEEP

    6144:REAU1eeD624pGSoJDZ2sqIrU5AsZBbgyg4s43yirHwlzKPm:RvU1eeD6282JtOI2D3bzsEHrQBKP

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/512A8BC06C1C5BC8 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/512A8BC06C1C5BC8 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/512A8BC06C1C5BC8 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/512A8BC06C1C5BC8 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/512A8BC06C1C5BC8 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/512A8BC06C1C5BC8 http://yyre45dbvn2nhbefbmh.begumvelic.at/512A8BC06C1C5BC8 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/512A8BC06C1C5BC8
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/512A8BC06C1C5BC8

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/512A8BC06C1C5BC8

http://yyre45dbvn2nhbefbmh.begumvelic.at/512A8BC06C1C5BC8

http://xlowfznrg4wf7dli.ONION/512A8BC06C1C5BC8

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (437) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\udtajmeamkwc.exe
        C:\Windows\udtajmeamkwc.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\udtajmeamkwc.exe
          C:\Windows\udtajmeamkwc.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:624
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2056
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:324
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:236
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1256
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UDTAJM~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B5C64~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2652
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3028
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.html

    Filesize

    12KB

    MD5

    627b96f22a8b34236c1247849cbf9d3e

    SHA1

    c54e1c955189e89a12f03f052d306fa2dbb23337

    SHA256

    9e85f1d1711fa3bf6b7da3bb98eb427c530da4c291edb960648d18d99bb8cb26

    SHA512

    cce02c99d9e9c2277ef02e1c54b9bb87d6fe0bfa37ca209839320b7829ab8b6cadaecdb3b060d77cbf96abe5e89d1ad9faae0ad8816a5a139034dcbeff1aa864

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.png

    Filesize

    64KB

    MD5

    c39e45b3b3ba32157c18e26cc41dc310

    SHA1

    c631d62f809ee4cf35c76d246f0202ad9741b945

    SHA256

    52a04d88bd32c858445e7ff7a8bc4181b45384f4fd898deb9fccab8c81162c78

    SHA512

    49cee5866260684a5df81fdc1959910edd74718d28e29d60323234b142674adddb1edc100057ae729f5b6668bf2d027592466946112b7272ba216af97d329fdb

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.txt

    Filesize

    1KB

    MD5

    de6178ef3c9f4e69870bd0cec21b9dbe

    SHA1

    cf1728de6778b1623390fd629e15373451105fa4

    SHA256

    0e7ba4b3e3c862808e12e1a2f0b898bca73d7f65fb4291abdbb2801eb727bb0d

    SHA512

    8f3accf391aac101c00db6dcebb2fedbcf412e36b103bcb37bea58d5f096ac191605306a9a19a7faf20f0d341abf7391ee658aa237d90b42c70a69476886589f

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    ee9052782b869ed5019066e28bd8dc2b

    SHA1

    67bbd080e65175f335f634d50cad1619f6fcd7f1

    SHA256

    1700041b8b51b6098c6e13ab8e90bbbb1634d9da0bb8122686ac3d980feb5c7d

    SHA512

    372ad0aa350ee28d39380865ab115a341d24acd0fcad5001dd61f8fdbd80c417fd1885f54ebc8234b6190471f21635e191ea1cbe822aec5d9729d12fc1fe729c

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    ca1d087e5b444c7d91bac250b4d0613a

    SHA1

    3b89d056c3f4a1cb4c9cb5958928874cdb85b55f

    SHA256

    577382f14d7871adeac0f07936a267aa11eef3c037ea3f46d37fb4ddb8043fe5

    SHA512

    d5873e9ed859da6ed0fb93954194c4f7e348f77ead18edd7ecc7d0d88a0cf3159ed3cad9b2e34d46164a563794340a156518119b2afb2f25f811a0978c3d7d46

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    b15d8e8b690c4bb6d4d467ad666dfdf8

    SHA1

    06ec74faf73d019d2f3371d4ff83bfab6a8bca07

    SHA256

    a2332a568527228fba05e299729e480709dbbf3a408b3f4a02e07c58b17144fb

    SHA512

    7e24c3aa524c3060e6c032fdee8a676d04723c4791fda5bc2548f5db70a2dcfd99bb42fc27a121fc8e74fd91432ef88a4a08f344fae25c88e8cf728dd755da96

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3db2a18e17e7f1f7776965a8e9f2cf7b

    SHA1

    8e2ca944a72e758b4722c3d68a2e7eff3e5d9baa

    SHA256

    4ec86f7898f36773466ad8ac3a4bb1ca5b297d47f0eda932b95a4cea1c8a24a1

    SHA512

    4b1e538f1c57a7412310d30f1ba90f0db838883e18f32f3a22a87bf171a092b9190f1da7f3f88ee26bd6c8e8a22f692827ec983d315a3d7ae1592636654ace1b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fdd72faf10376b8df826dde108d2abfa

    SHA1

    7bb66a96ebacfdfdbe429d590d989b3d6479cbbc

    SHA256

    f7e83a5229a3ca4962691ad4116312deec88f7ab95e4b1b35795e7b7751bc7bb

    SHA512

    83a285a72e8bed6eb00f6e68550a82fe531ba75b86d1af44acd32b49e457a5bd2ef77a914c35923e0f9dc3c51505262941192a838960821deba03be81872a1da

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    48756734bec758711d9d7bd9950c9d15

    SHA1

    7d8e39a9ffa046d310b1e257df93db62a9093573

    SHA256

    7eafb603292c73c57d5cc341fdb78bd1af7f1dacba9f3cd93831e1dfc69a9fa1

    SHA512

    c327723a8abf36ac8ecb6ddf95001bdb0c4346b199aecbe2d70c1d9b7cbee9338b863c8075ae6a3298f99e69c78019e1a1a4b70ebc6b4eb87cf8f173f50ee70d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1248232133eb176533efa60b1dd6cd46

    SHA1

    0a3e2d1a7d35184f997cdf610b7fef47a0a42399

    SHA256

    ad7bd801f3c20dcce90e89e9019ebd9cc0c7f3181775dc9e4800bef5b8aa2a05

    SHA512

    d1fec50742e849e944936d460aebd69d2863da98f9a6dbb1876616b90c6d0ad6b3ef0a79ad2a67caf2e99564c757154d0d252115f3429d0ee7644bbc27f1de94

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a6e56e7cbca4ddcb5600d6889f8cfc94

    SHA1

    2b276bf755368f3ee9eaeca4973974ec970a8ff7

    SHA256

    adcb491b19cbf18b885fa26075231384389f1813c4a00147e82fa230ebccad89

    SHA512

    c47c0bfc7b9d2e2166d0db8fb06495502f580ccb87051a4c431af5dfb4ca2dcff96e7ddfb69f9147833256934a8013894c0e98880bbd7f77b712bde0b6036927

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3de71ea025692b5fe95ad12b2d4a937b

    SHA1

    663e63a7fcecd151add783475bc7cc6442ed6fa1

    SHA256

    a25d3b75e5d9fbf50aa01d8959db229641b1456fe0bb7c9bede93da7978aed53

    SHA512

    35a11009b0909b64cf42bba6ca8a7dbb5eda873008f4ab9a83353b58bec5a9cd519eaadf95b2fc9165841649ab201f69230672efc80435e1b074b41cb112435b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0661c46939f715440db27ca19468b534

    SHA1

    7e8aab866598c0f2bdcfd9bfccb6ab3a91cd419a

    SHA256

    ebbba41c479d2d7284620b6a05697bc69dffa491be703b4fec02bd2b4844a729

    SHA512

    5226e02642f8ee7ba1f1fa97c0036cba6eb3952ee937a50eda518a04056ed02d10a5ab9b545a9b47bffeedaa4c6a055439c0c361bf3e3d85b68f80ac272ec9a8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    325505084779abe282137ff232011929

    SHA1

    9048ee02bc0477114213d3d96c325bc15bf2f9ae

    SHA256

    8b9a89115ec7d8c12117472a0ed6e2728c99ee28822377d3e88a3c0eb54d5c40

    SHA512

    f2ba733794abf5c83262af8e613acb6f1b3ccfbae45919cb39226e9d371bc9d6186bef1cdcb16bd1bdb2ccbf1c5b6d33a4ab3a09d3f39a8a65772a24c73a1196

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dde2936764ed1f3cd981b1c807444dde

    SHA1

    a4b4fb33240b3be944d10645df14a5326d2f1f05

    SHA256

    b62632afb7486ce96a84ad2ad61cb45962fbaf89ba6ff30f79b9073291e1e066

    SHA512

    24d8b2c066241a073e03a099068b2d6b40b58b4e5164b495afbe6053a3c9f9740187c73002533ff6350e25dd8a4e53abbd1c997d49e28364414923def1b2b278

  • C:\Users\Admin\AppData\Local\Temp\Cab2658.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar26F7.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\udtajmeamkwc.exe

    Filesize

    364KB

    MD5

    2b5c64d0ae335be2b30de30ed5cf9b71

    SHA1

    57a809107f1810a3ed01d4baf09f89a1fb562757

    SHA256

    33e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b

    SHA512

    96ebf2562a60ef245aea06decf83298979368e4c4dabaa107068e430d7fe86af5f996cfffba95e7f1c5ef411e7d1265d24a84716be63eaedfd48ad3aac4dc4e8

  • memory/624-6148-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-1935-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-1062-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-6155-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-6149-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-6144-0x00000000040E0000-0x00000000040E2000-memory.dmp

    Filesize

    8KB

  • memory/624-1933-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-5050-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/624-6138-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1972-6145-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

  • memory/2400-17-0x00000000003B0000-0x00000000003B4000-memory.dmp

    Filesize

    16KB

  • memory/2400-0-0x00000000003B0000-0x00000000003B4000-memory.dmp

    Filesize

    16KB

  • memory/2400-1-0x00000000003B0000-0x00000000003B4000-memory.dmp

    Filesize

    16KB

  • memory/2852-31-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

  • memory/2868-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2868-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-30-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB