Resubmissions

20-10-2024 16:47

241020-vaj5ps1blj 10

19-10-2024 22:18

241019-172znsvajm 10

Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-10-2024 22:18

General

  • Target

    5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe

  • Size

    356KB

  • MD5

    5ef1fdd422951c153db8c39b87e84e5d

  • SHA1

    a89966004343653b2d20c06b373b1390ed0450d3

  • SHA256

    b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

  • SHA512

    94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871

  • SSDEEP

    6144:nOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:nFeq0F+PzcOLyWRsHA93/oswe

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4EF4ED8C821A875E 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4EF4ED8C821A875E 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/4EF4ED8C821A875E If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/4EF4ED8C821A875E 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4EF4ED8C821A875E http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4EF4ED8C821A875E http://yyre45dbvn2nhbefbmh.begumvelic.at/4EF4ED8C821A875E Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/4EF4ED8C821A875E
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4EF4ED8C821A875E

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4EF4ED8C821A875E

http://yyre45dbvn2nhbefbmh.begumvelic.at/4EF4ED8C821A875E

http://xlowfznrg4wf7dli.ONION/4EF4ED8C821A875E

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (433) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\tnvhutyoduas.exe
        C:\Windows\tnvhutyoduas.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\tnvhutyoduas.exe
          C:\Windows\tnvhutyoduas.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2996
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:3024
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1704
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TNVHUT~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1808
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5EF1FD~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2284
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1684
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.html

    Filesize

    12KB

    MD5

    ccea1accd625cdbaf4017eb8fdce9c6b

    SHA1

    c2c27ea2af80e511f182f6bf376bdcb032a5165f

    SHA256

    056ae90b6c993e2f222dee91cdd562404e08d9f846805dcb9598d949d23e1f88

    SHA512

    786f6d942c8e7b096bc6fa452352f7c158a07cb759f7c4ac03d5db2faf4eaddc81649badfe68d1e214b2dde15cacc3a0bb9a8e701c9ea8cf330bff0508752de2

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.png

    Filesize

    64KB

    MD5

    45e417be3bccd1b4a925b3640b21a923

    SHA1

    fe57898423449018bebaf99be2f6766dcc4ddb06

    SHA256

    f5a09074c42fb3789671e3fbcb0972f414a989208f36ef86e6fe340fda407900

    SHA512

    b9aae0825b84c64740c1707a40101a251c57d8e6fd3a475a7181531b484014b4b2cfee3cb4d90ee13d01851edb2e950cae4ad1ca79b0263bcdb994a9d1653305

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.txt

    Filesize

    1KB

    MD5

    046b1fbcb17169d61e7c723590fb5925

    SHA1

    7665f0b04d3ac161e6c4e5005f5fde93b03606a6

    SHA256

    b7f900d45d1b32ccaa7e769666892192af1a5b208adec9f1c51e0afff51e3dde

    SHA512

    8602cc538d3ef683c1db0faeceec616a0181e4f504bc4f85a01b50c277c7bb437c31041e987b70e4903b68c13fb9ab62fb398ea063151c467663523bedbc1280

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    32465cc129b5a22712cfd9d3c34482e6

    SHA1

    48839144d45a0819af31b53eb360a4ba82989fff

    SHA256

    d4e70c6086a2aa3ea2984fba0a4947b2ab265c53bd51bb2311529aaaa978bf59

    SHA512

    7f6fc6fb5fee41d33163de201fec47ff6ad52a543c751166d34a99f1ca0ccfac4b1783c735d840c840d7db6c676260abd74b2e6720b60be666be8f75598a0dba

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    4d85c5972eaa2580d23ae16e9b49997f

    SHA1

    b32a8e1c131bfc66ab5d7473fa3eb1249365faa6

    SHA256

    03a555f00696bd77489494760de8d4b6d9fb383cb7444c337f777870f72c287a

    SHA512

    6c9964266e152b639ca38d657d2710113525724c9ab5710fd0d00898e794674b86c405bd3a02c8490e984988abc0051774d3b9e478a804947437ec0fc1575811

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    76cc74b248121248d6bae8d454f0cd4d

    SHA1

    1c8d07c62150f22e14a4d9c0b1697fa4f73805b9

    SHA256

    e73cf53909128a9e8d377dbd082d9a9af3f556df024958d651fd9681b33cbdb7

    SHA512

    5a41ec79f433b7514b44f6948fd781e2fb85d4b4d1847dab9c1e4cc57c95ca76a76077e2b99efc9bfbd8d6514b31166fad2fa012fdef8fdb8b75a23b8f59fdad

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f94dcf3b95ca2a335186b8e14dee7f6f

    SHA1

    fb4ec0ceef9bff54c6d1679cefe437b3e7358f51

    SHA256

    7b038e9bbe5550d47dd4aa226effda32ccf88ba927bc6ef6634b60ee5c45a23a

    SHA512

    ff3cb646ccce7995fe422287911d4f9f2e585b0496e755b07237d630c75e6bcda2377c2c10ed755584c329044c8b79331c814fe3fde9941539118921526d4492

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    97f8c07e8107ecab1870e82a23da6ef9

    SHA1

    ed86cbec5199867eb86843aad7441c59802455bd

    SHA256

    f34bd2b747c2a014cbd7e318f5b8bb8974621dfe8ef196f19744433bacbab27e

    SHA512

    fc94dcf94ce3f758010de3ef45f485e2e908708169b42defe0d33dbb7b3c2af716bf9a12df74840d89538add420171c7eb6045b7f79893f8ced41897808ea92b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    aa5cd3450df11d1bc166c93b44ac3ed7

    SHA1

    fec1ba37098888240434dc67e2807590546062b4

    SHA256

    a6ae0cd3f05389a9f583bab1e917c7c34e96221ed1b36b01299521b31d9dd26f

    SHA512

    e1f6418a80638f9a3b6216e34f9d9c91d60fedf289438bc0e22a60011eba4c000a1a5b000548009e48c902d834da18d2e572de34481bcde49f4dc59dd5f57902

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e96d736e72ff4a5c8234593b08dbf910

    SHA1

    aa624dc050ca671b7a37c4ab786730706ac8c5bb

    SHA256

    25e33b97b9ca574b3a885987c7c20bddd9c9f07d1a888744c5a270b04f1453c1

    SHA512

    06548c1f0828e325380e5642fc4b70c432e579bf847d7d4fcdfec60f73a2a1e3b2ecdbd5a858e4fc028ca1abe62d350fd7dc6ed01e1dced2ff91be99c670027a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7c758a2efd84f8305d8a5032b1970eff

    SHA1

    c9c5e13692aacfd6295958ba89bda50d398e1294

    SHA256

    213889d2665f7abd6ada83cd5ee2b8a0a7ddd683053aa51b48c7a6712826eb89

    SHA512

    3edbc4f7904a7a0fe5adb6eb3e336eae390819d52ebacde65e65d0a8421d8d740448cfa4551a2c56fe3a659af17b7be912bb8f82ebe500abc72dad5c24bcb9f8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9d5c7b6361760f4ecbe441125f1ccc84

    SHA1

    7ddc54d383262e33dfe8d6714b278aace79c03b3

    SHA256

    6ae6a5c4db22ea5fbf0e96bfb16b23ece2ef9c3c0d938e6128edf49311fdcdb0

    SHA512

    8fbfa1ddb98b4bbe42ef0d66b384ac8ad52ca911e615fc0e104fdcdb7f408e120b8ed1b1435379ed39ae29757d6c68d001be1eedad5d5246ab4e951bd03ca7b7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3c961bf3a83c118f1938c7ad3c8fb619

    SHA1

    48a6c6185099cd2cd50cb1583fdb0d76a47dce10

    SHA256

    0c19f05535c45ef9aef8dae48a7cb3fefd86fbc6fb18dfd8ad694d70dc81f575

    SHA512

    b4d1533b5cc20336ac87765368c3bf0ef77ccd63c4fc0bd629f7ce8dcd3f598254b296615584abf3da9f8e4cf4ebe05050c97a38ef71b7506995085acb4ed1a1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d8bb58993c37076cd356f82c27afff5f

    SHA1

    2774da3250e4e27faa170529c70dbb6fa7fb0c8d

    SHA256

    d399f6a5a085890b632184d4a50e6b38e69cfa953b245b05186b0ef36aa69f10

    SHA512

    57088ffa9e22d7c050a5b6333f7c7b7e1df680b8e1000d942bef4aa0a271ffbc919aef007e3f971c4fada235d79888e0f3b26088fcf6ab678e7274ecab6755d0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b40c62fce61c5d351cf9e28f276066ed

    SHA1

    136354b7590dc79d0dc4f68e59c09a46293ce776

    SHA256

    913114acd3a7be8cd0648b1c071c9fafb0f5a342e42023dc79c9e13ecdc68c27

    SHA512

    818c489bfa9ccc089969ad46f8e7ec298c2abd7efb5ea2bec12d4f862d6f63d77cf1016f6b7c5c9691066151556363e5894c5f1fee171a917dcc6e5217cdcb64

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a4ebaa7c6fa3716231fc29f6c333b01b

    SHA1

    66c496cad91e5d98e49dc026fda977d9a4402a38

    SHA256

    429e5277fc897d82aaa6571c6fdc4009d1a892932fe6c012a419d079b460a369

    SHA512

    719e665696475368a52c910b8cef5603eefeedeb8ab8bc05b404f4bcfce076bbeb732677e023ad8394719e7b0ddf33ce1090d5aae32f378f2c557292209475b4

  • C:\Users\Admin\AppData\Local\Temp\CabE958.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarEA07.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\tnvhutyoduas.exe

    Filesize

    356KB

    MD5

    5ef1fdd422951c153db8c39b87e84e5d

    SHA1

    a89966004343653b2d20c06b373b1390ed0450d3

    SHA256

    b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

    SHA512

    94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871

  • memory/1688-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-29-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1688-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1688-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2212-18-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

  • memory/2212-0-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

  • memory/2212-1-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

  • memory/2420-6136-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

  • memory/2656-28-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2996-1897-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-6146-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-6143-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-6140-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-6138-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-6135-0x0000000002C20000-0x0000000002C22000-memory.dmp

    Filesize

    8KB

  • memory/2996-6129-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-5234-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-3045-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-1898-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-49-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2996-53-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB