Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 08:42

General

  • Target

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe

  • Size

    371KB

  • MD5

    c192a273a786b569df2056914faf8327

  • SHA1

    87f24f470d678deae2cade1d3fd12255e796c091

  • SHA256

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

  • SHA512

    8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C0716909F59A9C3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C0716909F59A9C3
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3

http://xlowfznrg4wf7dli.ONION/C0716909F59A9C3

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (876) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
    "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
      "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\cdxnmauxndwm.exe
        C:\Windows\cdxnmauxndwm.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Windows\cdxnmauxndwm.exe
          C:\Windows\cdxnmauxndwm.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5008
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3712
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:4360
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3796
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdd7e46f8,0x7fffdd7e4708,0x7fffdd7e4718
              6⤵
                PID:3632
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
                6⤵
                  PID:3652
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
                  6⤵
                    PID:4804
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
                    6⤵
                      PID:4900
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
                      6⤵
                        PID:4936
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
                        6⤵
                          PID:3372
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
                          6⤵
                            PID:3232
                        • C:\Windows\System32\wbem\WMIC.exe
                          "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                          5⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:748
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CDXNMA~1.EXE
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:2256
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4432
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2112
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4792
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:3292

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.html

                      Filesize

                      9KB

                      MD5

                      1b78b85e42aed2f4e8159decab1ec819

                      SHA1

                      479f4d30be894ba9495d270094290f7bcff94f84

                      SHA256

                      b1bdc33175adff6089400d64922e47808f9b59181a6fe69504a48e9e71ab83ef

                      SHA512

                      c3f30a3e21d0c7cccf8e123774caef96b2328eda6e99bb37c84f8a9652ecc20ab96124f69b214dd29c9801a0c2ca3cb53662f2f93d68fa102a45a5b927f9c7d8

                    • C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.png

                      Filesize

                      63KB

                      MD5

                      14b1317ab0dc245f3d4442c108ddaaf1

                      SHA1

                      07a562b5b2db6be1d282e17c7b3d5d1077542572

                      SHA256

                      f0eb1c3c0f67119764d8fa98a355b934ef015e78e075bc56975a5d72be2faa60

                      SHA512

                      24ef58d032cb9ad974eaab240554ce815cd27b59f07ee6d4a6fbdce6b2fff4d87fa7c74b686a0bfe999a675a1974b988af01fa3450460427fda915f43031b67b

                    • C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.txt

                      Filesize

                      1KB

                      MD5

                      bfc580ab1e9f663c55ce4c0d6ac785fc

                      SHA1

                      559d268a13a5b6b1f484323685fac4e58d8b5a65

                      SHA256

                      f05afa6bd494fe218279450670b5007cefa3d4a3ce34818d9551f6e80f8c9efb

                      SHA512

                      d2c18e8e8a9a649352e87edb23edede5ea9c2bea03acad3cc8e88dd23d6b9ebdf912a6f19ddf86dcf9702250aab6288d7fdb325cd619553f8a297aa23034a086

                    • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                      Filesize

                      560B

                      MD5

                      dfea4a0ebadf07521723b12dbe809df7

                      SHA1

                      68b95f34bc8666bca44c695ce596625b82b0e05e

                      SHA256

                      9d4fbf692ebc6f8f204e0f3ea4943cde541c012e9308adf7db29202912394e8e

                      SHA512

                      1441c86b03e1ffbf19ada0b5f961a2df814f75c11589a82066cd03878b5a6f4015f07c7c6aeafcf0720aba0e4dee9dc13c8b38d453914b9c37eaacd6488bd4f1

                    • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                      Filesize

                      560B

                      MD5

                      5c00129a490f1c59b3aa9d45674fa9d6

                      SHA1

                      b74981401059188e80a62c59ab9ad2fcad912aff

                      SHA256

                      e7eead0d6a49c89331d20302cb5e13fd6975f95c8dc489590101bd13bb8ba1bc

                      SHA512

                      4e5f5177520a9d1e6b3c8dda960c9d0f6b706d99a35cc27296d232a7675d81fd9387f1f10ced245e7b4e4cf1ae679d3fb24086a0f2da3638e64afd7a0325d9b3

                    • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                      Filesize

                      416B

                      MD5

                      611993ae6f2843abe00011331578c44a

                      SHA1

                      8c211e333b508badb8f2ca4845adae2af25f5bca

                      SHA256

                      792e259bb12f658e3d041659de1112df4fece3a535235b6d475973096905e2be

                      SHA512

                      f739552c80b4bdbb8ece99917657d00c26ed880904aaec2c9a852aec952e4ac59de62076bc60e97986e1ca69aa298c815a68794e152b4e6eec901ce838104fb0

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      d22073dea53e79d9b824f27ac5e9813e

                      SHA1

                      6d8a7281241248431a1571e6ddc55798b01fa961

                      SHA256

                      86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                      SHA512

                      97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      bffcefacce25cd03f3d5c9446ddb903d

                      SHA1

                      8923f84aa86db316d2f5c122fe3874bbe26f3bab

                      SHA256

                      23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                      SHA512

                      761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      e8adf384a640023017e67ce46b96cf5e

                      SHA1

                      9be592237283c3f115d8482a83bcdc22e33a6b85

                      SHA256

                      e309d7d151000a1c0659050408809186159f6055d72363d18b23a270aa36ca36

                      SHA512

                      e18d234c8346c0d9b319c1a07be528e168b46b27b913ae40eea0b7c4b371f973cde5dbc09814786b99eef06c07840441227ae2dd49dc566bd3877c3cf7fc0ac0

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                      Filesize

                      16B

                      MD5

                      6752a1d65b201c13b62ea44016eb221f

                      SHA1

                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                      SHA256

                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                      SHA512

                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt

                      Filesize

                      77KB

                      MD5

                      0089a10fcb5c08347469b9ff8736d05b

                      SHA1

                      969d1e17cd9812c0bb6063f584d61ca4a0567126

                      SHA256

                      236b55b1d09b2bfe5d42685ba0b6c307fe07edb13a28c5f06184221245a2b7aa

                      SHA512

                      07314b52068012e8e5bb52a7ca8c3c7158259b85f4fc6fe689fe850f0258ecdfac398befcd81e90a2d97d952e859452680bc3a7ab6a99e556f55d6d4e24cdb7c

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt

                      Filesize

                      47KB

                      MD5

                      a8ebbc8426d2a55cb7e6ba84d986bd7d

                      SHA1

                      336fd816759f420b530b60aa9f85fa97f894c4f9

                      SHA256

                      bbf141633400dc69c1314839522cc9fbbfefa235cf6e7ab33d7ab23c9964ad15

                      SHA512

                      3235f5bc5c7469ec83f47b2d0cd1a0a8e4fd418f1059862b5d74b1f649ee314f3f32a526a50cf02c0f1984eaf34b533b4e2e2bc23146d8b5d8c1908b86b9c0a8

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

                      Filesize

                      74KB

                      MD5

                      ca7ac5999ce50bb1bcbed911ef3351ed

                      SHA1

                      f3ba96187e6669e8e83d7fb5d501492c7e43dbbb

                      SHA256

                      58d9231755940e78c409c53c46a3ae92409478bb8d4a2458129f1bbf3d8354b0

                      SHA512

                      52bcdfccf3040e8723ae5288d11962a25ba5722ccbc8530f9917d3468f50d55674b3bc03d3dee0daf761e1a19da175c1c7869b59ac263776b4cdf4cf6ec6bd45

                    • C:\Windows\cdxnmauxndwm.exe

                      Filesize

                      371KB

                      MD5

                      c192a273a786b569df2056914faf8327

                      SHA1

                      87f24f470d678deae2cade1d3fd12255e796c091

                      SHA256

                      e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

                      SHA512

                      8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

                    • memory/1132-4-0x0000000000620000-0x0000000000623000-memory.dmp

                      Filesize

                      12KB

                    • memory/1132-1-0x0000000000620000-0x0000000000623000-memory.dmp

                      Filesize

                      12KB

                    • memory/1132-0-0x0000000000620000-0x0000000000623000-memory.dmp

                      Filesize

                      12KB

                    • memory/1312-15-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/1312-6-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/1312-5-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/1312-3-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/1312-2-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/3172-12-0x0000000000400000-0x000000000056E000-memory.dmp

                      Filesize

                      1.4MB

                    • memory/5008-19-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-4305-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-7309-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-2212-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-2201-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-995-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10321-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10545-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10546-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10556-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10554-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-25-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-23-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-21-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-18-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10596-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-20-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB