Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2024 05:47

General

  • Target

    1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe

  • Size

    388KB

  • MD5

    1fe6fdfb7796bf1ec5bdf80f86fa9dc5

  • SHA1

    c4f86755ca60567fedc3a05ce88c4a342219c8b4

  • SHA256

    a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba

  • SHA512

    22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6

  • SSDEEP

    6144:nYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:nnSdO0iNEPn+TGOoYzwscMSOXUIJ

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BA1B1583073DEA5 2. http://kkd47eh4hdjshb5t.angortra.at/BA1B1583073DEA5 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/BA1B1583073DEA5 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/BA1B1583073DEA5 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BA1B1583073DEA5 http://kkd47eh4hdjshb5t.angortra.at/BA1B1583073DEA5 http://ytrest84y5i456hghadefdsd.pontogrot.com/BA1B1583073DEA5 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/BA1B1583073DEA5
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BA1B1583073DEA5

http://kkd47eh4hdjshb5t.angortra.at/BA1B1583073DEA5

http://ytrest84y5i456hghadefdsd.pontogrot.com/BA1B1583073DEA5

http://xlowfznrg4wf7dli.ONION/BA1B1583073DEA5

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (422) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\dyeopbpvfjhn.exe
        C:\Windows\dyeopbpvfjhn.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\dyeopbpvfjhn.exe
          C:\Windows\dyeopbpvfjhn.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2596
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1876
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:624
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2528
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DYEOPB~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1FE6FD~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2688
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.html

    Filesize

    9KB

    MD5

    42b9defa3c22670549c88c352eebd7c8

    SHA1

    8e75bab6dba473467b10f25b58c0b1cb8347416d

    SHA256

    39a9e3af76ed44b8afa73bda85e2629657d20c24ec91ed076fd0ab87e4901ce4

    SHA512

    8153a4933d4d94920778fc0cf052e16d040a397a714d495d88e533f97778626d7767540e5103f08906f04d40dc58106589eb900491db628b5e3f03166ed95b64

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.png

    Filesize

    63KB

    MD5

    44b9c66b8f1f99be6198f07bae10a01e

    SHA1

    6784a62d466bf1383f74558b5a9075f1e8ab4a1a

    SHA256

    83d57950fbc1866457985347ee26040959ce509e19beecb96a605217481ea315

    SHA512

    832da429a963a7ca02375cc166ee5bf10ee338bc964df79f9d096ab25fde28b937de07792638ca955ad21a88c699c68cb5fdbd443945ade0605976dd5c5132da

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.txt

    Filesize

    1KB

    MD5

    99bf04db906bf51557959c671dba9ee2

    SHA1

    12fcd234e530855508e205310bd01ffa43f73beb

    SHA256

    457f521625205d8924d851161c69642158b8fcf9ec3927758b3ed363426ea52a

    SHA512

    1a5285fa7b226b783e0c98ca8318c290814f2393e7cf48a34c6d02d227a67a51f2b154a10eb4d39d3e7b3e70f5ecfd7f25b66572a0c7d417f92ceeeabb62bec2

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    782cd194cf17ef48b35f2a776f0b5a1c

    SHA1

    ecac2aeb08b0cb165fe63670e787b69c4ee48b25

    SHA256

    0d9a172cc228eca8a8df0656fd2ec4b0adc88689dd4f4674a3be24774dbc5f5d

    SHA512

    9622b74c5e0b5d0380766299ae02ab99a26cc9f11768828d754ff22ea854323770bec358cfcf0ff33cf34ecf8469c9dd63c2422ee493a0d634e150561c7a08d5

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    3d8f07eb400a297cdfb4984b9d9fee02

    SHA1

    3556e686330321597184e80b2f0749cc5b2abf4a

    SHA256

    346860aa3001b014febe0925af8a014d1e207fc89b091a45f808dd9f3e5669b7

    SHA512

    a9b6878d017d3e0261383704c6eebe5c76a947b7385005e44826b107da992bea0ac906d584ed4c480023c952bc3c1854c57c20de460e193f6e846a7e64bcc7c5

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    102bbbc947d6c89fc55c96412f94c13c

    SHA1

    67157082ee09afcb35ad4e4876a7fe4172f1290c

    SHA256

    56e5f9e1823e49ab81011cbfadbdac2c208d35abdbd8d39ef8f0a2305c005227

    SHA512

    ade23c7e730c7d52c650db4e5b632943b50613eade203565fa1f81555e4fab22947df46815c98fb5810e33d0ea55da58e5e3e7b8a504fc3d58384983c6265f84

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cf49d353c14e0c95eb076eca342c6c40

    SHA1

    e10fded1e24f59636ca3f0466a32bcad856ae7e6

    SHA256

    6cbb24f8c255cddbbbe07af8a923c1d556d64c635521373b7d023883e72d25b6

    SHA512

    68f74236c8186acfd503d3a135e90c0d5f3d2fc197b92494f3b50e3ed8878d46508ad7de444c5d04e876b95cc183b3c394c14cca6057d05780a3ed1642aeb9f1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0291c04a5412c381f4d0d31b50c3e58b

    SHA1

    1e90ee48578b3951fbcf7c6b147e3661db3e9d27

    SHA256

    4f4a45084290e46fbcaa433bdcd970938ff9f8854af45cea2ce347ce00828d96

    SHA512

    73f6b36e7b642c9643db27463b6d45861d1c493ee9a3fd64d45facbce61fb3927c16c40f40774307601717a6f4cf083c07ba307ef47c0f633d39171887acec9a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fa71d9dd57ab89282ec8fddb576dfef4

    SHA1

    f1134b2b062a712a86512f457acd0b0ffc0b899c

    SHA256

    b95593117db837dbdc393f6fa7cf5bb99ca4b3bef08789231e34499a786a8866

    SHA512

    89af5b8a24daf5fd7a81cc4eabbe8ad4ae4a5362680b6a5ae9a5aa4fc692e67d9b8e3495443e1d56ccf932da82e61e1989b928a25a06afd9dc2086f92b858209

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    58a09d82c1e9fc1f11997ee87632b3cc

    SHA1

    8d16af332f6a6f97fa3f2040e50a3a6176e6f9d4

    SHA256

    3f895e9fb596e8222ae24d4eeade20423515a7b4fa9c49b8ae3f4274376c1ae6

    SHA512

    4b12d2eaf90e4fa06ba59ca281eb965d0fde9127d546a0d6582b929fddc494c70af889187c0558e7d51b266306bd5d18d57dda0dff248ab89c2086c5efce9a38

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    821bbce4b74071d898ac736a7d04b960

    SHA1

    2f7f47d3563c2fb8c2d6720a914b821275646a0c

    SHA256

    132f85fdb4bfe83431ba0d8fd5e16e98fa12e89236c32ce18b5101cc2761d828

    SHA512

    f31bbc64f48d1ded897fd476e85242a43731e9b5da21ec3e229c32833eafca4ddbf987a29ef90ef5252a16b3146c807c47ff5cd52c6966b13be89a5ae09cf5a8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    467e9a92d5a31f4f8b3d58b0303c5781

    SHA1

    22eb2cdeffc6bf46b69509edb3f24b5246059a24

    SHA256

    0cc956dfb2d39e25c3e2f6661aa04a704d7ef016b1191aa2bd82d534ba470a7b

    SHA512

    2dd34549dc3f3054bcfd9291460ffd44083c6426dc7c370d3877e972914be48d5ef0e60b3e9a06021f2a4bf79a0acf24e15acd84ce80bd4747cb95a3e9049ebf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d42385feeb3d43274ca0eb296e693a15

    SHA1

    cd98dcb7c6087e9d649c7422de51cd5723e76dd0

    SHA256

    39aec1305594ff4ec10686d4c46cdf3dabde47f8ae16e4486a1671a2561f36b3

    SHA512

    3f60debe9bd7cbb5af265e4242c0924d134f522a38692e0e9c2480dd44c6ae45ccb23b84113eebdf1f6541b2bb080fe74c07dcb65dcbc9d2cfd97d8b95a23df8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dad42d8c78c467b0552770f00621841d

    SHA1

    17a5ff854247f6cbfaf68dd4efee6fac019ecfe8

    SHA256

    8ee734fbedcc95654445ed3ef4743277f91fd5b894aff4a2a12c2d7c2927798a

    SHA512

    b3a47ec3b4eeb1a8b29a3a8f9572f0e4812ff2f846f48121c3c2ea2d83487766fe57e738c4e002ffdfcbc86fba0f7a062bc42f9f9d00a4c847df9470104b0e3f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6d4350970e4e0b3287f4eb1e76b6bf45

    SHA1

    a97d87ccb5b58ea95c71f77a8bf7434804ce3cbc

    SHA256

    6038532a64dd4ad6dbcee2954351782e0bb6d245a04488c96f6d989e26d87547

    SHA512

    aa31ea435add14c7a4f22a9acf3459f061e7f3b7a26a366d026aac332bd9e993fed13ef2e736f119bfdc127f85791d58ed830da6945dfca00a822ad2183d0ef1

  • C:\Users\Admin\AppData\Local\Temp\CabFA49.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarFA48.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\dyeopbpvfjhn.exe

    Filesize

    388KB

    MD5

    1fe6fdfb7796bf1ec5bdf80f86fa9dc5

    SHA1

    c4f86755ca60567fedc3a05ce88c4a342219c8b4

    SHA256

    a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba

    SHA512

    22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6

  • memory/1780-6103-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

  • memory/2232-28-0x0000000000400000-0x000000000085C000-memory.dmp

    Filesize

    4.4MB

  • memory/2296-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-31-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-11-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2296-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2596-6107-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-1874-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-53-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-6106-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-6096-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-6143-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-6146-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-4943-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-54-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-2383-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2596-6102-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

    Filesize

    8KB

  • memory/2596-1878-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2868-18-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

  • memory/2868-0-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

  • memory/2868-1-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB