Analysis

  • max time kernel
    134s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 11:37

General

  • Target

    VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe

  • Size

    368KB

  • MD5

    627ec4f42d9649bc8309d87f03d1c288

  • SHA1

    6cd845e8de2c2197cbab48f94eea823f88b0efd9

  • SHA256

    3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066

  • SHA512

    62899ac229fbfff6cd6ace9610b6d6dc027cc32ffe5b7b2c08fb3445815e134caec32047e0a5129118675f22b32aed516fc877b33c90da98261eb44f119a74bd

  • SSDEEP

    6144:e680E92oeOE4G63VEuFwm+DDrhd3wbYqaUq/JyKSmi97Msg4piwbBS9lkw86C:e68PIHt6DObD5dmYqarImi9jB4SBylkN

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ifefx.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1BA8A65DD2793E7 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1BA8A65DD2793E7 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/1BA8A65DD2793E7 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/1BA8A65DD2793E7 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1BA8A65DD2793E7 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1BA8A65DD2793E7 http://yyre45dbvn2nhbefbmh.begumvelic.at/1BA8A65DD2793E7 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/1BA8A65DD2793E7
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1BA8A65DD2793E7

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1BA8A65DD2793E7

http://yyre45dbvn2nhbefbmh.begumvelic.at/1BA8A65DD2793E7

http://xlowfznrg4wf7dli.ONION/1BA8A65DD2793E7

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (425) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\qgaiawrhncbm.exe
        C:\Windows\qgaiawrhncbm.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\qgaiawrhncbm.exe
          C:\Windows\qgaiawrhncbm.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2892
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2416
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:2120
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2224
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1184
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QGAIAW~1.EXE
            5⤵
              PID:3056
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
          3⤵
          • Deletes itself
          PID:3068
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1200
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ifefx.html

      Filesize

      12KB

      MD5

      693cdee12e1b4d82dd6421e24ca6a1c5

      SHA1

      b4e9df95b2d32f30410b32b64f6f7f821776390c

      SHA256

      8553686411ee5c9b4251a800f2d4558d3399cf73fbe36fb67dc1e650f6c563b5

      SHA512

      667bb333cb41be210ebff7c31993ac8fe48c3df3a8be466812368c2ccb39758e2397f2cbd55ed5a1737bec20fdee5dc078329ae24d3e603f407e3da140b9f920

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ifefx.png

      Filesize

      65KB

      MD5

      3bb399298e4c3c07073db54a7db42cc0

      SHA1

      a5a5619fc75e58208db165df3d97ac200c9f998c

      SHA256

      bc8a85c265cb73729ea125f2f413171d2bc6be02a9a4d960d016a6758e7c1c3f

      SHA512

      7646cd86287c3f3191204af5eabed68a0f4b09e06caa66f1fced8ae59eda95c950854a0cedb35c931bbcd17e66a6bb29c488afdc8da6f37434049d64e31b5560

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ifefx.txt

      Filesize

      1KB

      MD5

      da06765750b2e08678db1eaa57f8d9f3

      SHA1

      b3da40ddeb45d6c5a6e830368fd95e9769937cf8

      SHA256

      75292678c7297489c82f34667b7db499161fa02a5704d0e16627d10a9f62ff10

      SHA512

      6b5488cb4f43f08c68ba18a9f798089b4b22a0dc842a61e3c882f63790c9be9907edb1ea442f41ce2c6921b34e176e103f553d2a4254d2a3f9db9df192c11f7d

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

      Filesize

      11KB

      MD5

      92cf1929c796e51a216c19bf570c1b5a

      SHA1

      04c68cb059bec54c6e9e6741a36b87ff2fea5ef6

      SHA256

      f34d9023995ce2437cff0eb6ab3c5ae67e2512e9c2320328e3863b14d33618c8

      SHA512

      f66a720d071b9b678b436ef54bcb43e52746717c4f732aa0f83e3034bb5a92aeff9cf1e20365b1907e46873545d8fc2e2a0ff31a78f0344c51489fb4f685b6a3

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

      Filesize

      109KB

      MD5

      0f508cb52e4cb40f04dc5f7882c81349

      SHA1

      a93a90e396f9405f009f3de7aa3ce587e329478d

      SHA256

      74e7fcc2c4eb3e6f89ae377d83737189e428730f2b1f465dc6cdf4c9a64bdb6d

      SHA512

      ce4753db35d7996bb50ca4d718fc0a0ff4eac529cde108f45fc8a6e030aa20be119556b27d440ac45c113bc4a3e143654b01ae318fd9d0ce95459e44b962af5e

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

      Filesize

      173KB

      MD5

      fb97d8ddeca1ded6f276b546a5514e47

      SHA1

      8d47e20f343de8cdbaff25b40557dabab2a8c233

      SHA256

      69471ce9d05d5855636a7532b089c0e067a305f557bc971a37f7e40274561240

      SHA512

      d68942e28ee3caf1a5b9cf6631308d3974855f44125f2a93ea25ea575f82a6ebe26175dee61d023edba90c9a90a053cb4d606ab9efc8528a0cb9a7f3a9ff698e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e1d26af5679a9d4670a24ae81e0d67d2

      SHA1

      1af6a05fe1da5fad2a8212ba54a2012e2a2735eb

      SHA256

      125a2c434f9d6ebf7c1d764f15e279c70c5fe2d9cd11cbf63f765b80d4fa518b

      SHA512

      dddcc6e7860cfc66110f2d40617d6b66207b993818ecab423b5910715d83f83808868f5e9e7021d4d6825345f0ff2b134ddfb973e7ef5f52a641e549c4fa101d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      7dfc0fbb68d7b11cecc48d715e5c4b08

      SHA1

      b41971807de66c85d489050987cdeb68f22fbc29

      SHA256

      182e9b3117e0c6d15baecee93de2d8719800921c9174cbcd8d83defbe47a9dc1

      SHA512

      b0a9e88d23217f34a19ac08af22b5ae99b5bca5d7752a402f47023b573180d8e0b3156dbd39784d83b9b09d180812b1f811c99a25e789410ed010a96b5a9f737

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      4cf18f5ed909f02c8025a4f86cdf3662

      SHA1

      c3050382abab9c5de13f979bdb2009633e835861

      SHA256

      ffb70158f828f7aad4e5ccac7aaebea932010cb6a92a29ce78e36c6b8a72d1e4

      SHA512

      d9a5b19ec390c73d32c09185e6b697718d79b8f146c917f469c89f63bab50fccf1ba8e38fb8906a293cc3771dd975e82c44d4b45d3af7edb64116a912e1950ef

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      3a750ac6c2cee0067ec8c3eaf15ad04d

      SHA1

      4f903e060dc290a1fe3c230b5f99cc9b3906b22f

      SHA256

      de310c566645362c377c3a60cae2062878813b1243a019df149cfc63f25a270f

      SHA512

      3458b4933c670e3007bdf264082d7c484495aa0fd8dafb22f578d90b96c6d45bf27f420e47f556e76997bca4eee37d7b45c176d40ba8223989d5e586a7648f11

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      bedec6e35410f94a84bdbcdd6a0d675b

      SHA1

      45699af66bfc4fe10e3ead4cc314d302a41af53f

      SHA256

      688ff734d9b72b27741689d0ed5a374dd566d5b1e01494c16d30d44fb6b2c6ba

      SHA512

      a0b0771a472222fd54dc3658f7664f2901dee1b92e88c5d17fc51e5fa073bdc23f78a4e74d4bdeae2deee59c63cdec5dd1e8f8b203e6af1c83d3d5e08d317cea

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      afbbd172ff504f4621e5439c3d702176

      SHA1

      a5d44545d831fdd9c63767f9191553c6d6db9d3d

      SHA256

      f8c1c000b502ef38a6fe6db74934b52ab4e32aac663ce1ea7a7c7b392821c969

      SHA512

      183c2f5cc3f0bb48babb9adc6ec77c43b09c2a065e778a35a095e8bf7e894e9de6c1865a915bd7180709100c07dc8510e0450b471da01757baf3b53ed040bc2b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      10c3f50e51c1139afa16c8a1c3d93f3f

      SHA1

      a38d333e89ee40ca285726b9260d8a5c5451c4e5

      SHA256

      f89e8cdfffa54b0d1b047d87520f42e68ad75d46e862e6d20927a324d37d61b3

      SHA512

      5e5c87dfac25e85f5c1689ca72e3c8bd6ede1dabe58875696c01ca846f80d3e5adfaa4939d416fe9b872a6df92e14a928d2814c1f1a0faf915023c60af08cbce

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      dda34384f56acd1ad4b5036ac11a9572

      SHA1

      f79cb1b449ea548f9750bd7090e57285eab62b98

      SHA256

      c95f01b012f9cc0c32c5305c0ccb1c0014b6f69690025a230e9adb622dae34db

      SHA512

      979ea80ebd923bd195606df03734cdc731ecd93dd6ea7773cdfca0f26143007767a7b5f55cd10dc2f8f9d37c8ad88ef9225ec1acb72a7be1911edc8041c6cc67

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      fdc5583f16ba3e1db0c53e74dfaa02dd

      SHA1

      6c9ff5979faa712b37a039ad2cc6e7caed186d5c

      SHA256

      1b54eef77768ffc4026e2e3eaecbb8275e8263dd4bff94063eb9a1fd527c5e11

      SHA512

      81810c89931c299c26767351c1a79d4aa3a63eb18fee4fb69457f1f6fb2719b770dae94b7ccb3f4d14c1b536514af36fc28566523f1d7ebad3c28711cc5efff0

    • C:\Users\Admin\AppData\Local\Temp\Cab99D2.tmp

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar9A56.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\qgaiawrhncbm.exe

      Filesize

      368KB

      MD5

      627ec4f42d9649bc8309d87f03d1c288

      SHA1

      6cd845e8de2c2197cbab48f94eea823f88b0efd9

      SHA256

      3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066

      SHA512

      62899ac229fbfff6cd6ace9610b6d6dc027cc32ffe5b7b2c08fb3445815e134caec32047e0a5129118675f22b32aed516fc877b33c90da98261eb44f119a74bd

    • memory/2444-6076-0x00000000004B0000-0x00000000004B2000-memory.dmp

      Filesize

      8KB

    • memory/2652-8-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-20-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-12-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-16-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-4-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2652-6-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-10-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-19-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-2-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2652-31-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2772-28-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

    • memory/2892-2271-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-50-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-6069-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-6575-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-6568-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-5303-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-6567-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-55-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-56-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-52-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-6075-0x0000000004830000-0x0000000004832000-memory.dmp

      Filesize

      8KB

    • memory/2892-51-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2892-6566-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

    • memory/2984-17-0x0000000000220000-0x0000000000225000-memory.dmp

      Filesize

      20KB

    • memory/2984-0-0x0000000000220000-0x0000000000225000-memory.dmp

      Filesize

      20KB

    • memory/2984-1-0x0000000000220000-0x0000000000225000-memory.dmp

      Filesize

      20KB