Overview

overview

10

Static

static

3

74481ea80c...18.exe

windows7-x64

10

74481ea80c...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    124s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2024 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74481ea80c55f674ae71732fb7df4bc0_JaffaCakes118.exe

  • Size

    382KB

  • MD5

    74481ea80c55f674ae71732fb7df4bc0

  • SHA1

    46df55fa1b7a804d47c500c8fa5ad9da0241162a

  • SHA256

    9377d0ed707b29c5a5168254589c060aafd8de069b0e5a5853f0476f536ea2e7

  • SHA512

    98bb6040e47967a9a6cb4b9209738917db4c99de3fa5e109f97744da49130b679b0428f26847f48e18d03d70f5c5352c6850cd5039a8ae6aefcfc68bfe739707

  • SSDEEP

    6144:PoQ60/gAOEYIME6YYnlEqvSKgnzC9RJC8m+Ho2JQE:PU0/gaTwxlJBgG9Tfmv2Jn

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+xnicp.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/395B8D171184935 2. http://tes543berda73i48fsdfsd.keratadze.at/395B8D171184935 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/395B8D171184935 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/395B8D171184935 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/395B8D171184935 http://tes543berda73i48fsdfsd.keratadze.at/395B8D171184935 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/395B8D171184935 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/395B8D171184935
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/395B8D171184935

http://tes543berda73i48fsdfsd.keratadze.at/395B8D171184935

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/395B8D171184935

http://xlowfznrg4wf7dli.ONION/395B8D171184935

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (386) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\74481ea80c55f674ae71732fb7df4bc0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\74481ea80c55f674ae71732fb7df4bc0_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\ulmlnxwabvah.exe
      C:\Windows\ulmlnxwabvah.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2260
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:1116
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1984
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ULMLNX~1.EXE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\74481E~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2940
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2992
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+xnicp.html
    Filesize

    11KB

    MD5

    540f6f0cea8b535ec4c70406884a16f6

    SHA1

    aaeb2975e6a42107e8d09300ea0b73290e6586be

    SHA256

    3525c8471fb81896b5ef229bbde6360f959c953a849c5a24d37a7c4deccecd57

    SHA512

    676fd50d8f53e575bf2c86e553fead4ef964ac61637468c789bf914a5f25eba541b29e9a5387456d9476c6caf25c90707861593069f35bab5fb09a4246cb5292

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+xnicp.png
    Filesize

    62KB

    MD5

    73accf448072b7395c5f65bd8be64aae

    SHA1

    18b11179b630d907193f815188ad342b16623000

    SHA256

    02b4f1f157aeadce0c4a4253fc2e17734f0c10c35a9154ce8030c8178bf53cd0

    SHA512

    a5f4856e0b3e353b6940df95482d7998c756e7a2018fd682310beaf2700f79e3b198abcc33285597008790e22242f6e2d5c652ac8bfb9236350f1fdff4b671b6

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+xnicp.txt
    Filesize

    1KB

    MD5

    e3c7366258c0710f3fccd2f04864bee2

    SHA1

    55a31b868724f65d3958999fe2acfe041baff3c7

    SHA256

    77a7fb08c72e8ef527f989d62b7f398e8a6727dc08342a43c65a1cf4a86531d9

    SHA512

    2a367cce11e887041859fd4bb07802fc4806ac58f9ac0f13caa1aafc7d0da4c9b19e228770f60f5fc82427555b406b67c90fe668714d2871267af6fce235827d

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    5453e0ec3c54cea388fb97c6164cc9b8

    SHA1

    f6a2e5c1be8414330d9c0970b74322e5de4fe17a

    SHA256

    2815466e548bea47151cf980eb38a342e83df3c33cdfbad66e91ba25e5c322dd

    SHA512

    e122f99be730f552216e378793ecb60cb32eee6cc95e1e93283b493f60bc6464c3f77a1677242e77ce7b1cde14f66df57374a3c3064e7b8f061ff03ad32a6d31

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    b998bacc040a763565c8672230a6a0a7

    SHA1

    b9b0f0a2e5ac09a4095443501d037dbd0c39407f

    SHA256

    6e5284e84f97666fff25577f27e737acc7f13846bd409f035f980baf163233b5

    SHA512

    4fa2bf734e9e28676ff821697d746a91fdd03389acb2ffe7c28986aa4e3b3c876c05f4fa93d3066689efdf6cb156c050c63644995567a2669486733081c4d908

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    b2287b299eddc38c49c6854c9e41cc81

    SHA1

    fd0f46948238ed0a46966fcca7b7957191b3f45a

    SHA256

    73ce8bfd2cdb57cb1263845cf71882b7ba2053e74df3f682cdab0fd0a7e9e53e

    SHA512

    1311e238864629a2528252a359f8e50770d24aa9db0241d0b73d4f372aaa74773b69e068f226377ae293d0d56ec6c625a290f786812469f11cbb6da122079a6a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e7f93aa8a6a8822140177ba84c1af6f9

    SHA1

    9f40e789635b56a74d5ca21fc5ff225acb6fa1e4

    SHA256

    2a553e270a4091e1dbbd63df6eb1273252eada940d1ef4a5d9f6f75123d1e6e5

    SHA512

    14a227f38bae09a1a2366d59d4392efbd33469f79a3926560628d858b296b3329dff707f4d95164f34c7cb0c56591290ed3fe33c3124b59829e6d30f5d1714c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    96bd8ad48870b1d8a9628456fd6cd43a

    SHA1

    3feb26a1cc704a2d123619b04ba1798616b20d36

    SHA256

    b28b897cf76668972b4aa49ffa24ccc83e01531add7dbfc5f7b69a03dfc2db66

    SHA512

    36fef8ce87656c3955d07189c8317112b91dbfa0ecdb67374a69089423016d76ac5623ff09a836ab1df515400a1d7a5f107cd63389d0119da851ec2de01f58e7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    498f90c58878b662dae0cb560611f992

    SHA1

    c7d59405507bc48322cbd0d4e5a43c6d6a4ad3a2

    SHA256

    3253dfff9afaca872905b157a54e90f2f6f040a04ce6492026d7936e7261ec54

    SHA512

    930e9384796e1a79e1665872571a88d2e0b80ae5e8e12f8844994b471a354432b72a2e30a8772cb7e6d6b15b8e90611425a6608ad514228eab3051a71c8dc4e4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    32ba8c874635c379de5ed7eed5b8e8b7

    SHA1

    089a2bc97344c371102a5ae4659aa34054a8c667

    SHA256

    58df395d9e5bdb4c6e64d1c4221868024ee9b60b145a7e69be18fcb373650fbb

    SHA512

    c69bbbac72e80eb41f25bcfe7b8dea009e2be60495ae75dcdf11c29cd3cab46a77a25cbf8f705a7b82499e60aad7689d06ca8c47445109e8968e899f2697eb5a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    988d72d225a573e1f5884dd88fb44026

    SHA1

    bface5b4d07fadf99561ede9b6570414237f4995

    SHA256

    1f99477fe8cb6f1a28960cdd152cec44b6e13f610e208f58125f08901609ebde

    SHA512

    3820e842f89147e919bae04b88e32b51e1bcb3ca7bd7e31de74485d5aa6dcceb64a51c4f7478a0d3b174415d8b4ae0e6a5f2348e7a8c2b29ad43eb8925704311

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6b8206e5d0ef02293bc418151245cec7

    SHA1

    26f01637b5f835788a6e34b99800428d9be1c077

    SHA256

    efc38871dfbcfce0e900cd5044892dbc64d2fd4f23495fd65c13e1268d21ccd9

    SHA512

    a1c5f738ca2e0781991987f75fd2376f5dbb10648d6a3454ec9c83aeac7e4ae1f0adbbbeb5554a34680fb0ec0950be3752307bbbfe52230269d32e3a2fc70a4f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5e6f373deacecf93c0c61f7ad613259a

    SHA1

    e20bbad669b95628d76bb9e7997c0fbdf3095835

    SHA256

    dfea852d3ac21350540fe21c389a747a64d900de08f0b3fb4d95ed49eb014878

    SHA512

    58c1cb4fbb9ce3fa594d7dfffeaba87108afdc4cbbacdbec92ad4161c1ae26f62a1d89dd74dbe48db174572c267a6cbc5adfc4bf4bb5207d1202db86456a923c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    41207b8c963a88be8be1f0523d96dc1d

    SHA1

    ae165da78ab45e61e5d0a6a8ac2990d1f7f63cd3

    SHA256

    204ce0bfa2c0a5b46b86a059c47801aecf62fa4c061910b0ae1e535b481ba76d

    SHA512

    1429ed6de47f84a702b293e5cf0fc1022b07426e132ed3d65c70ade3868ef5f955291c5c2d17dd02f6d4862ff9b951cb01ce4c5c54592c58072217b7e29ce204

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    49d0c1790142f535a4aca6165af3e029

    SHA1

    3d2c9cd0738f80991bec5973d4d32dd965db526d

    SHA256

    2c5fa3a6f0a2094cfa0e677861581e555e8fd1e962ccc6e5c3af078970299896

    SHA512

    8a06984d89545f6649c564f40d0afb43c4fe6f14b8270bceab02373d2abf28a1496ba45af7e45b9d0302cacaa7dc04374da4460a6ced2cb3d0dcd2bdbac745d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab49B0.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4A6F.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\ulmlnxwabvah.exe
    Filesize

    382KB

    MD5

    74481ea80c55f674ae71732fb7df4bc0

    SHA1

    46df55fa1b7a804d47c500c8fa5ad9da0241162a

    SHA256

    9377d0ed707b29c5a5168254589c060aafd8de069b0e5a5853f0476f536ea2e7

    SHA512

    98bb6040e47967a9a6cb4b9209738917db4c99de3fa5e109f97744da49130b679b0428f26847f48e18d03d70f5c5352c6850cd5039a8ae6aefcfc68bfe739707

    Download Submit

  • memory/2220-0-0x00000000003C0000-0x00000000003EE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2220-2-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2220-8-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-722-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-3349-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-5894-0x0000000002B00000-0x0000000002B02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2260-11-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-5897-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-5130-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-4168-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-5887-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-2320-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-1909-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-1114-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-10-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-322-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-321-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2260-285-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2772-5895-0x00000000001F0000-0x00000000001F2000-memory.dmp

    Filesize

    8KB

    Download