Analysis

  • max time kernel
    124s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2024 19:17

General

  • Target

    8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe

  • Size

    384KB

  • MD5

    8736b31e13bcd6e154dd6ad39b839f8c

  • SHA1

    9135b9746cb37636cd26cbcc73ffd0451a34b426

  • SHA256

    5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f

  • SHA512

    1f8a4ca3b1d33e6208e45c8f42fa1650dd1b97162b499053cc45c034dc87f4d03448a4289d9efbc64bd0e135b7cb597036311dd0f5c763dd6ced6f36ac6a01bf

  • SSDEEP

    6144:SeVGON09XRWtlggcMOEqmgWqvANwxcLSgL8J4bAvtqjPtW6wU25vB8ynNd98UW:gON09XotWgOfmgLA8cNYQAojtwU2xnv9

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bwpgu.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EAA1E4C4A8422025 2. http://tes543berda73i48fsdfsd.keratadze.at/EAA1E4C4A8422025 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EAA1E4C4A8422025 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/EAA1E4C4A8422025 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EAA1E4C4A8422025 http://tes543berda73i48fsdfsd.keratadze.at/EAA1E4C4A8422025 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EAA1E4C4A8422025 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/EAA1E4C4A8422025
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EAA1E4C4A8422025

http://tes543berda73i48fsdfsd.keratadze.at/EAA1E4C4A8422025

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EAA1E4C4A8422025

http://xlowfznrg4wf7dli.ONION/EAA1E4C4A8422025

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (422) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\qubxgctqgjny.exe
        C:\Windows\qubxgctqgjny.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\qubxgctqgjny.exe
          C:\Windows\qubxgctqgjny.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2096
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2800
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1296
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1912
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:316
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QUBXGC~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:224
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\8736B3~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:3004
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1316
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bwpgu.html

    Filesize

    11KB

    MD5

    1ca7a12cbff07d2989b19652a61e4fb1

    SHA1

    ec826f2700affe439d41a324c04a2cf27f9ee2a8

    SHA256

    57e7f7e7754d69bb3d1eaec958a6baa56d67a7e08dbf76aa2dc8e0ac0b5599cd

    SHA512

    e37b2e9187e1a48bcd8f6d9370566621b4cde85c5e1134be3a002cbbae1ba70c54aa788517e8e66372c97ae16121ac63479c9bd56f044ce701bccd0c008bdae9

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bwpgu.png

    Filesize

    63KB

    MD5

    8db927906844480461d8554920a960a2

    SHA1

    e6d1a19e639268a730d708bd5c97f1a15f747d8d

    SHA256

    640b133bdd28df204291970747aa05fcbf41f143c337b4abfbfadf07a9eb452a

    SHA512

    34f4447366b341f280f096aeaad9eb763a17062b1f5c864c9827c7904517ec176cffa88b0fa492d21c7e12c8cdfa9c3d1529c13ed1c975923fc5ad51202bc7af

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bwpgu.txt

    Filesize

    1KB

    MD5

    9e0a2d5ce2c93d4e8bcf0b938abe4fc6

    SHA1

    be3c71ded9b1ff76fad70ab7a00c1fbaffbb2ab3

    SHA256

    4868a3911c5af7654ad08aa8351f10a464da990f9fdc44dca3c3dd36838ae149

    SHA512

    896219b9e5838263a5f7e49fd95443f99328b33b52345fe1c9aa55627428b20682781e797dbf3a7cf53268e4dc9cff68a0c1e759769bb151405dd9634b027bbf

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    750049ea6678297b716e35a81cd080cc

    SHA1

    4026a756dcc148582f8f4b2258db0454e7b1c168

    SHA256

    838f934a126c771a554411d11986b2c2bdaa75b223bcdd78f6fab06c8c7a0bc3

    SHA512

    d74d5028e5b6585904aaa8ad2153045d2b841fa77cd14bf4278ed0b33cab40fe7496841609524d409fecc2baaccfb4a9403974c80029c6ee0c21c6711a90e780

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    a0c928683b53d3841b3e014ee4a5b7c0

    SHA1

    a0917472c62a79027f6335e142f4ae20e6b3bdb0

    SHA256

    b69dd78806431cee08f26a08d62244d638e2493126d85dbf808492cbe2e4de4b

    SHA512

    556af17da673d2fee7ccf6c8fa877ecac711ea9704eee11796e82bb2ff5b419777d47454f55fc2bf23e801eef92812c8cf018f105b1be9bd590bcf65dbd865ee

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    964324935277b35020b52f1efca25061

    SHA1

    1534ed50c7fb15d5219d1d5458b552c3264ed0a5

    SHA256

    63876d97c54edc6a43fbfb808ab69038c379f8413f58f11acde838c30cf4205e

    SHA512

    e3b036ee6ef8bd432dc91a33ddd5c3ba5742b61866e20b0e16d1d7a2b33bf7c7b6ae423083f78afa3f0d3c59f1101aa80316612de40e8fd39985cde5823e038e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    252B

    MD5

    7d398c0d99b54d3c3c3123d44d9871cc

    SHA1

    58ad0403652d92d51deea514353f6bfec1a27f2a

    SHA256

    ffb53454af10df0e47af760bdeea6f19dadee80ac36c58b75291ec2fc5a959ef

    SHA512

    353940a017d383f2206a49757fb9e42c67460d0159916f136a2419a7cbb85989ab58a0414a8eee50ca3a226c66a4ed82a18dad63164a9e240f69f34c2299d8ab

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    945b839a9c8145da3682e34c828fbfa6

    SHA1

    4dee0c05123d7b43f48cba31b43f41d36a32744f

    SHA256

    1b28ddadd9af6f4aba8bb9e5f2c87821f0d9bb68889dff0b11ca3e71b501a942

    SHA512

    c548f4658451fa43aa21d7c21d6cbaebcfd0599ed27af9803be046cb6aa0e33f417d6908100e5034c153282b111edc122c13c8c50623dda43e30289578a5fcf1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fb2dff1b9b6803d484fae9ac5f59fcf4

    SHA1

    b6f8899c6f490806664d9515a91c5a76c3c7cdfa

    SHA256

    27d758a0482081754b77a40ade535a860ab4b73aca46cc9a42d4bb038379dabd

    SHA512

    2a166af55fdf275c9e3ad13750a5065c6d13258c04a237bf9e912a264dbb5252b09eb991b2d116633d96b2688bd45c74c8fe608ed68fa273053fa0e6977d1267

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a84f68825282a9a455deaa895b395b77

    SHA1

    b15d65bea2712f1d4c3632833b4346bd5fcdad04

    SHA256

    43ad496ee14625f72d7bcbe2f302f8fb8ee72869d7604c708a188e10e907aaaf

    SHA512

    a18db2c76df7111569b3fcf4eb0cf62c464fac26be12242296689c8b5a3a97154a4112e9027c3ee03615393774f038ba74b6fd78825834b955c1ed9300ec5f67

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d8e6c02eb7856a35124e5a5b32112978

    SHA1

    bdaae711e1980587cc5778ff64932b125bd13095

    SHA256

    abc6e2b98e807494c7da3600a76b790126668686f789ee3ff3bbe5160c1a28b8

    SHA512

    5b872eadc9b94a4f9ef91032818887dd74fe72e4b6b626a3d39b0178eff794bf718b6ece50051fd2fd7b5bb9cd6ab764ed0b002d05dbbee51bccd8b40ab89195

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c7837c86040bac3ff8b2f32307eabfa4

    SHA1

    a3dce909ced03ffa04ad4b3f812ee748d85cc2f5

    SHA256

    dee1161c264d2a71ccbbf256bb764275a93674ee3dbacac1d0035f08c9457d45

    SHA512

    16a9de8c446107fe6d9f210b205977cadd02d0d3e598c7d3f4787b0eddc10e8219391fca475d72fb7695b0987fbb7d0ed43eb794b9cea68a62f9fc909dd083ca

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1a9afbdc30787d85673ba0b19613ff09

    SHA1

    5eea4bc686bbbf863cc36497c9a1b3d7fa5b7974

    SHA256

    d5b2406a474d3e35012b0ff6ab65204ff56d66f357406ba7ca28e10d9c072579

    SHA512

    b3a040b2e4e166165515f00e49e47a6941d71a047240254132754982d25e5f39930e0074d899fdc7725ce4ad58f40ff80c5ee30988b73e41b54495bc461d9686

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    54d7f14a47c00d65490c40300f94a7bc

    SHA1

    11d318eb550122bc4736357eb34023235a3b3ac0

    SHA256

    954c014c5f7fc1aa70db95f93dc2d834fcfac217a620c091931222423c57cadc

    SHA512

    4cfe8b4720680929f859f1582f626c8a39172e3669dce73236b50b6550d6c132474185ac4b8c891f9e3c7ab040a3f8600fd5670603d7ddc6e3399942a0f167c1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d6492bea143ee2a8436d885247f09bc5

    SHA1

    50d69cbaf47bf1c2fd7ecde88e26958771014150

    SHA256

    9ad345d8fe5c8aed981ab44a21285c2facff878b6a4f14ca3cd92c838e4a088e

    SHA512

    56ce0ae945669b216094e02245cfb45563740943ac6e9e5c1c94fb2dc362f4a780a040c7a741595a6022e00989f9ed7a2be8cbfd7ca0de3dbb00078c1b122fde

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b02eb4f83740687ccc482d72c8a6e3ce

    SHA1

    a8d4833818f61ec6ddb4fb21ab651f12ace1fbc3

    SHA256

    d1b3b049f063cb3d7ede8033475e7c0b1f510942509a7c8bd8461a8a32ac0239

    SHA512

    e08fd2ebd01b0d96881f33b4a61e4a421786648a8c3f5a8fb0d5b5ab4ef22fc12509a4261cbe3015195a2d40993286fe22349cf5d695a795747b42761ebe8760

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    b66daf40f5fd2a2cda5d7a51cee8dcb2

    SHA1

    637593e4158c4024a731912a46e5033b08a3784f

    SHA256

    f7b3d95e1fdd622e4881932e95729d6bb9f9bb4cf3893b46aba22211285411fe

    SHA512

    82dceb1d02fbde84589d067af532eeb50ea5910ba0d7b4e1fb6de87eab1ed81f360b649d41ce906fa5a52d5963a8a66c082183149b21846a1b9b4cbeda3cd025

  • C:\Users\Admin\AppData\Local\Temp\Cab565B.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar565D.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\qubxgctqgjny.exe

    Filesize

    384KB

    MD5

    8736b31e13bcd6e154dd6ad39b839f8c

    SHA1

    9135b9746cb37636cd26cbcc73ffd0451a34b426

    SHA256

    5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f

    SHA512

    1f8a4ca3b1d33e6208e45c8f42fa1650dd1b97162b499053cc45c034dc87f4d03448a4289d9efbc64bd0e135b7cb597036311dd0f5c763dd6ced6f36ac6a01bf

  • memory/1672-6125-0x0000000000380000-0x0000000000382000-memory.dmp

    Filesize

    8KB

  • memory/2096-1430-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-6153-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-1429-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-1589-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-4202-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-6117-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-6118-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-6124-0x0000000002B40000-0x0000000002B42000-memory.dmp

    Filesize

    8KB

  • memory/2096-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-6127-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-6128-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-6150-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2096-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2360-0-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

  • memory/2360-1-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

  • memory/2360-18-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

  • memory/2664-5-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2664-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2664-31-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3008-28-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB