Overview

overview

10

Static

static

3

3615c9ef28...18.exe

windows7-x64

10

3615c9ef28...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe

  • Size

    284KB

  • MD5

    3615c9ef28ac6b885405ad433b338ce9

  • SHA1

    8b39c75a87aba608976d6ebc5be6d511b82fd634

  • SHA256

    0f5bfe270ccd6b20554570e407cc0490477030b4cbb3a991fb647810d6a75039

  • SHA512

    5d94bb315e1a2f0dd3784c4ccced48f5cbf29d9a4fb776ad88e504fc9123e725a333af49e5ac453b21b3094941c546c5543ac9f8737917d9c9ecc035fc4e51d1

  • SSDEEP

    6144:boW9C/rhcrTk04UshxYi+tziVivz6dKbZi2QCFenag:pCDurTk02hnEz6s02Fenag

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xucdt.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/192B8AB392308E51 2 - http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/192B8AB392308E51 3 - http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/192B8AB392308E51 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/192B8AB392308E51 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/192B8AB392308E51 http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/192B8AB392308E51 http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/192B8AB392308E51 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/192B8AB392308E51
URLs

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/192B8AB392308E51

http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/192B8AB392308E51

http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/192B8AB392308E51

http://xlowfznrg4wf7dli.ONION/192B8AB392308E51

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (427) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\fgedalrpyctp.exe
      C:\Windows\fgedalrpyctp.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2696
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2516
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:328
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1224
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FGEDAL~1.EXE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3615C9~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2820
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2816
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xucdt.html
    Filesize

    11KB

    MD5

    e6a0b39b446d637fea4fcd477acafac3

    SHA1

    069db123ad9b126b944c9bbfd6504792b3847143

    SHA256

    06849dd67feb7543d9cadc00ac1c4150c3cebad46787c420f1b6ae9baa82ac04

    SHA512

    2de43a5b17dcfe58cd0bbbd98df7fc40080113e1bccff2d380bfbd16fcc525f7a6082cbde4777f041cc37c3ca3e137fcf2459cbe6c8814e0d9ab290c6c2d569c

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xucdt.png
    Filesize

    65KB

    MD5

    835eaf3cba755cb3d18be87458b71085

    SHA1

    9b779f486b7d551e00354d1bcbe5c13fd762ee76

    SHA256

    56a050a82b68ada66950a66b5d7b93af2301ba5b45ab281f29578e33e66d91ab

    SHA512

    bca3c43ba31998a422dbb941494de7e116437b65de70a46cf5c112875f62b430617fc5d94603e2d672aebf6456165bb93f116efd7337e9454229836dade0a575

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xucdt.txt
    Filesize

    1KB

    MD5

    103da56daef4872c67f5e8703ad1e3cf

    SHA1

    c3d22c1d1d4d1dead090c1ddbd79b3a9fb2756df

    SHA256

    e214ef42ebefd24ac3e29b4b0414a94e052e36342418800b7333a63b31eeba9e

    SHA512

    0e5908fa8b15ee75dc3b9a5fe1d03a9fcdbe78b6c72dd0f0ebe14866031b69f3b554200e7947eb637402953a4ba3e2e54f158995d506c38cf1f2b7a8ee56f2bd

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    cad6d5ceb4d40af90404ff07c8b17c55

    SHA1

    ed91707e4e51745c7738fafce88948351e281965

    SHA256

    bb92d14fe958338f40aecbad1d8f4c5237d6484f5d674cc617780797a312b0ae

    SHA512

    3b4327f045e2413fefdfaf83f90444d5c81c518534ad2616773a7878cdcc8cd3c0af48ba432f9caabd3d32a5d3df82c67ca72a5338eb850f3e8adc3aa241d7f6

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    f6f77a73b05f6c0206d81f1f9305847e

    SHA1

    de6955dacb4854e6617760e670970757afd0f7c5

    SHA256

    57b4d810de954a259aa26db1e0a3f08064d92cfe89266cc97b33406d5599182b

    SHA512

    260882586bd93d5eacb43c106b291e7ba59df9cd952d5acca4008f0187d40654ec518860f157a07170acb9d74c8d33c9e059641431f4c212d1138bf11b8f1209

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    927cad8d0ce2e190fb4a7a6e5d7459ec

    SHA1

    5831bbbbe888628de657478c770b5db706c0bec5

    SHA256

    9f349aa1d02db17a22b54fc9961b802dc99457324511c19d76f2478af000e28e

    SHA512

    87192d5d41f04fb0505853068b6273aa0abdd61e6ee4645f626f292941db79f94ce823e5bd14bd556b456c068357d290fa3491ce67c03fa9dd2e197afb33cce2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e7281a7b65abcdf25effa76040d69f09

    SHA1

    26e9154f72a72b0326515955a34eca0bb7f4b21d

    SHA256

    8f82d57c0205b954af51303d249fff69bce76190b1efdd7d0b02378acf2a6b0c

    SHA512

    15e42e6cbcf555cb72dd8f03b10357b4b5b7ab049b20f53eddc12b6debd202840d01a3234351ba252849cec712b16c9c1e36a762adb620d70a957cd482942693

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d8a969bdd16db80ebcd371fa3659a4df

    SHA1

    753b410c474467ca98d682030e8799c98c6a4d2e

    SHA256

    3bf98d8db1ed3dc75d0f69ab1dfe500bd62f724937f0d839df2bfdab78da5dcc

    SHA512

    6f7a37ccdb9455f5c971a8a6cb473c296d1a1d362caf22533c8f245027369622cdac3e388759abe658d04168ed94282650cbcd2aecaf7fd4a7790ed0f298fc63

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    27d260bb87ff57683d6dc52b420f31c5

    SHA1

    760d1480e25ce3fcccfbd0bc89db10aa1b172a1b

    SHA256

    fd00040173dfd4a582b7c6c4c642e9c0f384efb45fe60a3a69293cd456868b57

    SHA512

    df8bc08b60cf0d2b535eba68b875db44dec89d8bd34c25ba2df8ad9a806567abd93a7572eff7a9262afec8272548c5d26c51297cbb02ab46ca71087981b6fbda

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    221b893b6c927b2799f490cd16f3dd1b

    SHA1

    8a363aeb15fff3ae20812fa6d675644d766a39cf

    SHA256

    24ba3d8d015e5dce606eb974bad19cec07e9576c49d78df6d4b2e293fa396517

    SHA512

    a0a53f9fb877d8b06fb212c1c037858e2cbaffb5ae71a669620f33b6a140e93938f8e935b689fb00e9a5e89dbfc3a938c0f851a76ccca0913e2c92834db285bc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1a11ac36e0f24591c3a1c6f19b9f36bc

    SHA1

    78e147089ced3429d8ebb2bbff7d73fbe90efbec

    SHA256

    9cc3f8852149d54f9a61754f9d3330bad2656da5e5a4eebadd67d9e7eb3ac2e1

    SHA512

    142ecc0ce78908cfe1f5dc0200f47d5aa52f3e8d1f18a3b1b7b10f57a576365d14375d499e5a94c8846b23dcf7e48beb77662f70e1aae25c6d120c9b34eef29c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d34f0f5cca42d74fa05ba1d49796c1aa

    SHA1

    ea71a7decf4dd628679028aed2ca19be521645c0

    SHA256

    600e298c2e67f440ca284825787cea756cea8287e45ed9c308cbe07bbecd3bc2

    SHA512

    771b2c426c52ceb4e01604ef37192f0de09654761a392a8e949c2631b33246482f913ffdc93365c00a9551b302582a0321931e80aa360cb17ccfcaa9e5b639e0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    35cd777709a1587703b1c4f772fb68d3

    SHA1

    9292f59fea8e6b4c083eb89ad4cd876c63d89ee3

    SHA256

    5e3a25aad208067d8f456afd58d2c8156fcb6969e3ef4450c9af42bfcd70bbd0

    SHA512

    e54094b84ff2db7158873565727c719ed9e166b7c5682b4cd9bc45d50a09c9c9f4bc82b3372f6444fe1f2a0f1e5174fbb0a74ff437b4c1f8dc08669af9e6335f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    96f6f66e0fabdfa2a569e7ec3e57ab01

    SHA1

    8e776799a2162ee00414e00bdfc355c97e5be4b2

    SHA256

    15b578f528d045ab87271adb2f118046bb8074a6b165067ab2ee9accddc5c6f3

    SHA512

    a6c5b10c1dbac42ad11b2d84cfdae2a09979611af1290fb73a0c6b8e3f0ac4f2934415cd1ad1ab5ea9eca2daacd1a3c1ce0129907cebba178186d20a8fb1cd3d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dc6d8384df46f86e7e4cf125f95df91e

    SHA1

    ee534b3f8a96c25c02f167f0e429a563661efaf1

    SHA256

    efbfb58a3feaedc87b82b4faa7972445c29206fd47c0ffc1ae6b63170380e42b

    SHA512

    07e2ee6cd78f2f0cbea762b2ee7c8e08da6279d18f4d6ce449c5e451451c874938750bac4faf30652bcf56f29c6bc511ab052a108222b58897fe76ae02b12094

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    434f14cf76c7cd6671e7d912bdb02f9f

    SHA1

    87055189da5c960e452e5ff4f39b47b299e58488

    SHA256

    8c0702fe7fcaaf5aaa8770a7ad6a9e749157173629065864621f4e55c0f1a340

    SHA512

    e106c150a3928a5f3671096520bea53d48004ef99970609284c42ed56c5942bf711c620df72addaa06e97e927141587dbe4f797a109d1d77a5f53571ccf9b1c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8fc4d504e29e8dd752a1f1c7735f99f7

    SHA1

    3ec3ade39d997225a918488c4f2a48ae6ef430a2

    SHA256

    84544a3c45f3c60d05e725d5aa936e664313843e44bf76147db14046ebf0ad47

    SHA512

    2b68bfbb68ee92e4422bff81020aed4333a9d45b169812f39cf74a7403349e463cbcd1648362b204875dea3e58ae34ece43eb87ed6a36f6c4c08141fa48f69fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab606B.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar611A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\fgedalrpyctp.exe
    Filesize

    284KB

    MD5

    3615c9ef28ac6b885405ad433b338ce9

    SHA1

    8b39c75a87aba608976d6ebc5be6d511b82fd634

    SHA256

    0f5bfe270ccd6b20554570e407cc0490477030b4cbb3a991fb647810d6a75039

    SHA512

    5d94bb315e1a2f0dd3784c4ccced48f5cbf29d9a4fb776ad88e504fc9123e725a333af49e5ac453b21b3094941c546c5543ac9f8737917d9c9ecc035fc4e51d1

    Download Submit

  • memory/2492-6072-0x00000000002E0000-0x00000000002E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2696-1995-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2696-10-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2696-6071-0x0000000004280000-0x0000000004282000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2696-5530-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2696-6076-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2696-1670-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2744-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2744-0-0x0000000000320000-0x000000000034F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2744-1-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-9-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2744-8-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download