Overview

overview

10

Static

static

3

1e1def42d1...18.exe

windows7-x64

10

1e1def42d1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-10-2024 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe

  • Size

    352KB

  • MD5

    1e1def42d14365acdde0fab027ab4f73

  • SHA1

    076c52faa6c76610fca15b8533e81bf8ba8133a8

  • SHA256

    92b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23

  • SHA512

    c93298bc25a818114018cb51a3b0e4c3137b46633dabb6a17303f12473e58d64e19c39c14f307c0df9e0e4202171d2ab22eaef2bf3f7b35e5b9b7a114eb7d722

  • SSDEEP

    6144:5Meb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:5Tb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nqetq.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6AA28CACF557010 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6AA28CACF557010 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/6AA28CACF557010 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/6AA28CACF557010 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6AA28CACF557010 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6AA28CACF557010 http://yyre45dbvn2nhbefbmh.begumvelic.at/6AA28CACF557010 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/6AA28CACF557010
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6AA28CACF557010

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6AA28CACF557010

http://yyre45dbvn2nhbefbmh.begumvelic.at/6AA28CACF557010

http://xlowfznrg4wf7dli.ONION/6AA28CACF557010

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (409) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\lmbxtjxicmil.exe
      C:\Windows\lmbxtjxicmil.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1924
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:1940
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2688
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LMBXTJ~1.EXE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1E1DEF~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1336
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2788
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nqetq.html
    Filesize

    12KB

    MD5

    c858ae030a6c513d4c9670a72d1606c3

    SHA1

    d382e65e4951a84df43c6a5d03e4bcbdd4bd856f

    SHA256

    8264824d0952be73e43d939c914981397b4695f4787f20a8a21a09fa643f962f

    SHA512

    b81be47e97fae290029da16c23e1d27522884b0f55d7715a05448932dfa7887008141e02b14b22adb932d529e60836adec60b9585b493ea4c2f8da0f34f6dd60

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nqetq.png
    Filesize

    64KB

    MD5

    95da7b13b297aaa2f540123c2838d23c

    SHA1

    09e37cf3f264e73f6cccea63fd79d7a2b7bb2859

    SHA256

    c51f35af9dc4d65f5c098d50bc83a043763c36bd29a991a91e8a9bd2427a7dea

    SHA512

    e6f43c66738c0f9b679005a87c6edf64970f0788b2e607c80fff57febd48b4f8d3b4c95ed6e7e1cd08d7bcc95aa0dcdc335af550f3ce8e16d508f27dc8435f9f

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+nqetq.txt
    Filesize

    1KB

    MD5

    1302caaf3457aaee7f115111ed2e7956

    SHA1

    d6ac6bc787ca0ed6055fe5fed232cfcc79ce1f56

    SHA256

    d6ed9823e3b1d853f69e8dd696700c982d8cc13d49f972e598a304cd26005a73

    SHA512

    9d2bd7a33bec4a49a5d5a0c545dea154f192b1472f604dde77bbbb9484879e4f901561bda5e3be716008f002459ee7a7e5866bb8888a71fbbce774f9051a4b67

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    4368afa026343a9565df5be9c6505c4b

    SHA1

    7260590351b157da9b5507ba414c2fba83c51cbf

    SHA256

    8bca3d3501d6bfa02ff703783fc964f79a4f6fb346458443390cdcddff011d8b

    SHA512

    9739c9a3d0470f0104d2020e900f545a14d96de9d9b06c1b4c7cfe759597703b5c4424c6d7ab66d2726f7f8765eddcc02fb986c61ff729d2335409f26f50b409

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    fc42109caf017779ddf1ca91f184de3e

    SHA1

    b0cc23b8da1c84e93a02bb3a56f95b92fd76c9cf

    SHA256

    6170ae6a644467bec843d0c0002929f901f0dfd523d54eb9c8698864522b1661

    SHA512

    f4216e786c3c65318417aeaf3b143f53c4e49b23ea9b091bb1c0b6131a9cca1b00c1396be1b5f3a49966795c64421dc7d25b2dbf09d2290fbcce4e10ca187b56

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    f3230b08e1f8b3ac536976b3edc11dcb

    SHA1

    b92bd7946cc8d9fd237a6e6ae344ff753d5b8c03

    SHA256

    471bf7c2b54380414d892f16203959772984fc6ee63dd0dae30e44e93423b573

    SHA512

    5813de64f63d745ec2f36828f41524f368049f1bc99f53beeea167be29c65548e9a1584664e02fb4db3a817795324e6b948ff1683ea6b6d214a2da0f79cd31b5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2c07b2f0df844f8bceac442cd793a923

    SHA1

    4c359240e1ba3d2998a73e6c572b3e5f65e44f7e

    SHA256

    5bee849a33bd252c1a9501e38350242078447c2bc0eb77102c56914c35806084

    SHA512

    2fd859ccb108b2560067a2f576521894ac3abd87ec76d720be48386d6b8f2c9fa4f49214108328d3900c84dd4a6cc91e714252f6ed1d33f2fc9ee39f53f77532

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b0c7ead1a5b50e9080ff27f6e5eae4b8

    SHA1

    862c76ea94f8aa193f6f82136b795a16f7410311

    SHA256

    00bba1aa566559e6c66f50313acd3ee2c9ad262c752a3d169b5a1e70cbc180ab

    SHA512

    e3b2f6b7010d8261c1c12a0a9f7a40be27e28d74b49cb7ada8cbed6a9e8b6ad76fc363aeca4ef6bf76afe0964a969e3158d7ec7467bbc1f223011e736a16c641

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fbe5eedc21b043190d877dfc232ea39b

    SHA1

    e5b8cf0a51d848a170606cd94cfbbbb808f7c9e2

    SHA256

    5f52bbffd87a1c0e313fe305c96797ee7c98b259cb7f7e12776be5a797a46628

    SHA512

    21db946760f06e30cf10cc67f6e25c3301ecca50a02ab8a385d4b5c969ffe76f22fbe547fd431b71abf061fe31e4b80677daae397c0180c2aee8d7e2f940d539

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2a45f62cc969c358bccad09a5b11bf8d

    SHA1

    a114d50bfaf5a8cdde01a0121608e81b738a6175

    SHA256

    a5c74cc6a860f982276a475f8043859691a056365be392f141c8f69d7e6be031

    SHA512

    b3db06194e138f6b732e06adcb4f8541231a48777c7975e9e676064846bcdcf87f61eee9b5669cc3d5552bc3fe8d34c54077e7cd1eccf0447bd024bd6b737200

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ed6b0dd5c2d8e8905b59f1f72d812858

    SHA1

    965c314f6b04214c376dfcaed1efda4f81cf523a

    SHA256

    ac6a31ae7a1dd7b083468ae238edf42e337a096426f4fc0e53b9b97bf7ce5419

    SHA512

    b744435e528ec549d2a70d798b556905fa45588c28adf6b555dcdd0cee9717b2e8e639c9de7cd5cedf338fa121dfb892f6af8cd441318b7bb97a86518d9ab5b8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    542f44174c9547b3e78f3f7a683caf2b

    SHA1

    c2eb585053016cd3b9e5a5ba9cab7279000e837a

    SHA256

    36d86de304bd4fb095858f2c865e8b9b00581dffef064a97cb60a6066485badd

    SHA512

    8c0bb13590b329e3e83e8f786bee77430b13a2ee46cc7ff592300d26e2d5ffe74fa906fc34affa852162de643cb45fc7194787791b9aad0703ea6fc0f30530b2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4bfd6dbc53f7f30f31bbd140eeb5635f

    SHA1

    cbf38ca99edaad70b07af1a026a2f8ee691a5ce2

    SHA256

    c8d1aa9126a0fbb2f9d34e0840c17f8cf2818b6eeee6e33cb6ac33c8c4a72a42

    SHA512

    a08736208847101524d3a3d64e1cc719fe39df944ed66902a296ff090aa06888dbbb29638528e14ceeb6222c03019c6cd04220d7eb90e7de1de9fbf5ad78490d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bd79fb34d7295f0127c5f0d1964084fd

    SHA1

    9b19cebabc2ddff05a328828b7efefddbea85e13

    SHA256

    23d9fa60cdf9d7e8a88a233f79a5d4da7cd40a1aab86652d8533e99bfd17c13f

    SHA512

    b06c7017cb6f788fa0ff17fb6ddaf690a94f3b21b9b30e1456e4ef8548f846f46a688fa55157151b87d0cf3159b913e2cd2be04519678f5b47ee882f16dcfc65

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a1a8cb53e46c9efda63dd281ed0855f7

    SHA1

    53a0582b562e5afc74669cf8a15346ec422154ca

    SHA256

    e93131cc9c2e25a53d280ff68567f10da2badb9a65bcd22f0c8707af65781c91

    SHA512

    56f9a69c3394bc39d6b6f0d2c3100a96f673535c234b97efd6a3fc0740643d9c4494db73853bd997dd8072425e2d9792e096ba45ca28885207aeea6f45f73862

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6ff16efe0a27ca1296d514f9a2b283be

    SHA1

    b9ec9da4dba1a4f892fbdd4adbef097933559b4a

    SHA256

    8e882132c5d1def6f2cb2bfd19badca37ab8f75ccb6933abbec5566ec1e112ad

    SHA512

    e4f05b35c83f31c8f2bee027ce25867f309ec4cf0140009a9b30cb1384c4b7a85292c4088f2d143d4cd46f6c9e36f8dcb927a7ef5fa60204bc4bab205d3cfc2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab5DFB.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar5EAA.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\lmbxtjxicmil.exe
    Filesize

    352KB

    MD5

    1e1def42d14365acdde0fab027ab4f73

    SHA1

    076c52faa6c76610fca15b8533e81bf8ba8133a8

    SHA256

    92b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23

    SHA512

    c93298bc25a818114018cb51a3b0e4c3137b46633dabb6a17303f12473e58d64e19c39c14f307c0df9e0e4202171d2ab22eaef2bf3f7b35e5b9b7a114eb7d722

    Download Submit

  • memory/1680-0-0x0000000000300000-0x0000000000386000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1680-11-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1680-12-0x0000000000300000-0x0000000000386000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1680-1-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1924-6490-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1924-6041-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1924-3151-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1924-6047-0x00000000043B0000-0x00000000043B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1924-14-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1924-6128-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1924-720-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1924-721-0x0000000000290000-0x0000000000316000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1924-13-0x0000000000290000-0x0000000000316000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3068-6048-0x0000000000230000-0x0000000000232000-memory.dmp

    Filesize

    8KB

    Download