Overview

overview

10

Static

static

3

b45ae8dabc...9N.exe

windows7-x64

10

b45ae8dabc...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe

  • Size

    376KB

  • MD5

    b09aca00a8dcded70eeac6ec2b497e60

  • SHA1

    9247ba9335b88b4fc1d8febed66e92e4aad8317c

  • SHA256

    b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29

  • SHA512

    f3c2a80cb592a721f454773f8aed5ba09b96641325effaa92821be9a3d80e99522100610c10ce9d4dd8ab97a60f182b9e9a3a7d1dd18505658858dcb30ccef02

  • SSDEEP

    6144:J+lMnaN9yLmfyoZjcbxstF8cIxnTYI4LVmKJ7t2AQeRi:8TN9xyomFstF8conTCLVzTZRi

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+miyxn.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/4CC9B02651C6148 2. http://tes543berda73i48fsdfsd.keratadze.at/4CC9B02651C6148 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4CC9B02651C6148 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/4CC9B02651C6148 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/4CC9B02651C6148 http://tes543berda73i48fsdfsd.keratadze.at/4CC9B02651C6148 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4CC9B02651C6148 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/4CC9B02651C6148
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/4CC9B02651C6148

http://tes543berda73i48fsdfsd.keratadze.at/4CC9B02651C6148

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4CC9B02651C6148

http://xlowfznrg4wf7dli.ONION/4CC9B02651C6148

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (394) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
    "C:\Users\Admin\AppData\Local\Temp\b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
      "C:\Users\Admin\AppData\Local\Temp\b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\seenurpyycda.exe
        C:\Windows\seenurpyycda.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\seenurpyycda.exe
          C:\Windows\seenurpyycda.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2596
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1216
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2080
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1576
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SEENUR~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1460
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B45AE8~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:448
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+miyxn.html
    Filesize

    11KB

    MD5

    033a8a63781890b54dd0267e09053005

    SHA1

    de74a44a91ef2eccf4cac2303e4da2ad258a8b42

    SHA256

    e734ff456d78af11be8f0a23523bce81223ed80f216ddf31cbd426d71e47646e

    SHA512

    c26181f1b2e75652129b57f0d6dbd66f34f78e6f040c258da2d1cf2f18d818dc90de62c96c67cf1bfec54c04412aedac6ca412215f4c56b43e13b3669d186402

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+miyxn.png
    Filesize

    63KB

    MD5

    f07faaac2940ffa65b962faec473b49f

    SHA1

    a41b07f1f00b870ddb5353b64400655efa254636

    SHA256

    2dd81ecca4a4305c9988cfce18e2e013954ebced1e700047d03d971254d1a478

    SHA512

    77904c8b4a6fcaf10fa34d2c9d2d09a0af729536e0c1e4a8b22eb3ddee81ce354af7044186b4175a0f94c45506ccf582b4869c6984dd60ea270796216e305938

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+miyxn.txt
    Filesize

    1KB

    MD5

    fd0a61e19da3efff83e46d1a19c61107

    SHA1

    8e0f39065ce8fcad3e2da739fff072ba7b68bcd3

    SHA256

    c49443aabbe34497005020cf0ffe157a1d3f85b841166fa4d56beb64a044eb9f

    SHA512

    9d71fb8fe4435630ced362fb0d1cb2382751177346e21305bcd2d0956533e6d7887b3a0fb0d13cf28ca3a98fd87a6cbc8ab2340f1f5f61784cab17a4e8b790a6

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    99f52ddcb4f17ce080546529913c9b79

    SHA1

    018567afcdf5727a82b67777d58941fb98e48f2f

    SHA256

    f432ec323f75a2e77530b41cf9436f232fec2e1788a1dbea86cc3bc8782d37f7

    SHA512

    0a55a2edfcb034c8c0b5d2c969e48fa4faa382f8e1e9cd46ea2f05f4703d1efbc35606756bcf61a3f077b44b5a2824dd13a3c35feaa2317736af6a3f05d58cd7

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    1a66811435f1c4e7c46a8f50f9e2c3f4

    SHA1

    8c2b4380ea0ee661028e31b84f5685221ef263f4

    SHA256

    f12b7171f63a21fb39f486f77503d09564137cce1db64f8c8d05a2f24828c4cd

    SHA512

    6f9916adabbeea4f9a87d74d264e4df46ce4f83cdab29e81ff2d595d30cf93d8c4a5ad7516135f6249d643de610eb19499874434916fbc22688b7d3f03dcb053

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    451b3f2205b9966e1e0eb18bcf0bd5a3

    SHA1

    77324e052e0daefbe1688da190ab34d205667ca9

    SHA256

    12bc06a86cecaf1063edbd0b0308963f09ffb315afafad5607510d80d5048dc0

    SHA512

    b7ae6ea63f05b8d445d0a8d9846a28a8334c3cf173431a0fa48b2aa1e644d878cb6e01060c7e482e78dd1570ea40a034e41870b15a9752e9211ebc27ff9add59

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    180da467accce8e90a69c1366d2a527e

    SHA1

    3f04967191fdca23614d9cf37f5d7e1a3486c777

    SHA256

    bf9d8bd2e01b4ff1d83789f5041f61d4a4f81be5a59f4fdfc485a360c99e3c26

    SHA512

    7d9bf5cca68164fc63a666d8b94b9b42212b10d38e9c45e612d0b18ea99dbeadd8c8d67d09b162fde4d3f914b167ef9d4ac4636bae4838ce3c72bc3d31dd419c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4240987a2a550ea2aecac7696cafc869

    SHA1

    6a6362d0fda29ccc29795a9fc19525bcd48f9577

    SHA256

    7f59ebd1328e114f6fef4fee7ee323f98cae7bfd3e8f22d981fd38c3a4ecdb88

    SHA512

    83c7760bd1d14ab65f26adac728e7271d3d8b89c0dab2711020b62f76d71d1cd20cd5172064ad47119606732699f14bd667101bb669fe1547cd1a43249498cfb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    209dc628376ac8d6d1c5453c074cd78b

    SHA1

    42a04551aac445ef65fc9b382ab6a399a150ee34

    SHA256

    40d5fb6867aa2ec99269df526802b36849a7c174b57aef341a7104735ec42c77

    SHA512

    c7017a0c68b0939d567bf7b29711319b5af04969afde26b437e47dbcf768621141e57ee794f20915564104a19fa922dfb42bac3430e6213c26b7f16bff8a93c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab4AB7.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar566E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\seenurpyycda.exe
    Filesize

    376KB

    MD5

    b09aca00a8dcded70eeac6ec2b497e60

    SHA1

    9247ba9335b88b4fc1d8febed66e92e4aad8317c

    SHA256

    b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29

    SHA512

    f3c2a80cb592a721f454773f8aed5ba09b96641325effaa92821be9a3d80e99522100610c10ce9d4dd8ab97a60f182b9e9a3a7d1dd18505658858dcb30ccef02

    Download Submit

  • memory/1488-0-0x00000000002A0000-0x00000000002A3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1488-18-0x00000000002A0000-0x00000000002A3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1488-1-0x00000000002A0000-0x00000000002A3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2192-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-30-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2192-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2276-6008-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2596-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-6012-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-6001-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-3439-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-1651-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-6011-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-4839-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-1655-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-6007-0x0000000003CF0000-0x0000000003CF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2596-6042-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-6039-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2596-57-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2956-31-0x0000000000400000-0x00000000008A8000-memory.dmp

    Filesize

    4.7MB

    Download