Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 23:08

General

  • Target

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe

  • Size

    371KB

  • MD5

    76b0182e3dc2f368facd1446a78d2ae0

  • SHA1

    6e6f6df8ef1a845e335995fbfa48dab3526cea29

  • SHA256

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

  • SHA512

    e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+gjvix.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/F97D7F90599446A 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F97D7F90599446A 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F97D7F90599446A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/F97D7F90599446A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/F97D7F90599446A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F97D7F90599446A http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F97D7F90599446A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/F97D7F90599446A
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/F97D7F90599446A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F97D7F90599446A

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F97D7F90599446A

http://xlowfznrg4wf7dli.ONION/F97D7F90599446A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (438) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
    "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
      "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\shtjtucrlkrj.exe
        C:\Windows\shtjtucrlkrj.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\shtjtucrlkrj.exe
          C:\Windows\shtjtucrlkrj.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:288
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1868
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:1220
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1312
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1748
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1500
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SHTJTU~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2004
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+gjvix.html

    Filesize

    9KB

    MD5

    2f35ec797f6345b3a1d8372d7fd1860d

    SHA1

    51b1ca7c6f4002a77013443b16b58fb95ad6ac9d

    SHA256

    4d46dbfcf61de65aed9bfbc43a46bb801e7758bcf9abee46765c1b53e6db3204

    SHA512

    eac71e4ed0fbc08d04618116aaea19f89bb55804f920e68687c35ed8825d08b1517e67f23ed88707639356be5b7caef51ec3d56fb78d5e8242587d7365b660e9

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+gjvix.png

    Filesize

    63KB

    MD5

    c3fae2129a3d48d937819bf4ac31237d

    SHA1

    d7e780d0b5ff491215e78432eb85a8a783499762

    SHA256

    d07cdddcb6870f1c2f466fb77f1bff7f340d8e267f99566c97eaf232be8c32c3

    SHA512

    05eacffab8eb821267432e74db5d0d8f9e9e7d17dc966cba9b387dd5dfcbe45b855048b6dd848d3232c957aa4df1366ee87f3e58a14022008d6e23d18e2833de

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+gjvix.txt

    Filesize

    1KB

    MD5

    6cf443e8212057fa54289f7d6dcb65b5

    SHA1

    0d3db1460bad132b1220e52a252fbbd12487a4d1

    SHA256

    fc856dd24ddf4fbf459c6da49dc92ccdf56362fde9d6af3eb66e82d440200548

    SHA512

    6a590a95c21ab902a4f7b247885e6fc028b0eccc4e63524f3a44bcba38140ecbecc517325398bda43bc4ac0c5f744b02d8391d367628015d9fb33546046643de

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    eb267c05ec37eb9025c40062ccaedc68

    SHA1

    5f3db4418dca30ae74d21bec49d4e7fe74add63b

    SHA256

    a87482eeda88919cf474ada9c45759de6a649cab6ab5ed0472fd587cbd181f45

    SHA512

    b5853a53c0073cd830eef6347cc7f2f1e65ec9252acf1b77a66db79349a7ac6f3eb848d63e8186bfbad7a8922feffb15d46d71b8763d53213490fb66ef8f61df

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    78c60438ccaa47501435eca11eb29ba7

    SHA1

    1223c0692a042b5031a214d362a2f77dfdf240e4

    SHA256

    f9cb0b56d3c40dd9be0219142c88ffe90a0345fda23c4ed6d80f9a3d16cbf06f

    SHA512

    f8691f83e46e4fcaae44e07915858a240505f948e793ca1d281eb610696c63ef2a134e96077e1b656ba023b0e64de7fb2196daab37a7e0439bbc3b009a8422cb

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    0ebae12b0dcb6db99c42a62bba07ceae

    SHA1

    8e86f841e7e1108e74eb52150e408f8ee65e597d

    SHA256

    894e65a590251cf3f193051a6c22e835491c851dda23630dc8b9a2232dcd9f5f

    SHA512

    ae332a3c11c642e9804502403030aba1bfc5a28f1504d2904de73433c52a0c56bfde7a31c9b213d34eb9a277c20da53e73cfd18f7520db61218059c8044c33c4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e48087a2737ad065ef8c342b977d6c6f

    SHA1

    6c020f3ea9044d10de09d386daace92667a0fece

    SHA256

    cf37c85ea937c1a65178a88c7ea70687cb906d3a42592945e0f5b6c545d9ff5b

    SHA512

    8c589f80fca0cb689bdbc14abc229fa406330875694baad4658545df2a1e17b4d64779b698cbf81ada063f2d4b2b65280677ec7afa597c7a1e97833481863fb6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2d64083a474ea0c4d169a0f2392c7a1b

    SHA1

    8fc8d326fd3465aab92df443c495ff889c06d983

    SHA256

    671068e25ec1cc91339e928ec11728ee0673befacdbebf304d262f7caf6a5da1

    SHA512

    805fcfc88dde8d90d5165763a60e5be5c841895090e907129b991b05587e672427af2158445c302d1dc151c8b05d6f48cb93d42765a098d919036ff7c00f0549

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e38a66e01b13c5568b1251846a36edd4

    SHA1

    34f0d671fa66ef8501218ec63bc557ceb13de281

    SHA256

    0b9e5a2a0342c4c8ec4eb41f24f501bb96088bdc1e23e5823dae4d27a1cdbfe9

    SHA512

    b1b152f11be7423092dfc7261fed11445423ee77ebdd6a2bc0b2e27e7692cdbcfbeab697372d5be4e54d1226f5bd2333889974434056051ccee51c1a09f3ade6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c79eb57967ba356719cc0fc56bb04a72

    SHA1

    c1db6698e45445c5b986cd87e10f8d6a538f1e19

    SHA256

    09e50321c99524c2e3120514e06316662234737ce63740d4d7d99d943d774d11

    SHA512

    6f8fb6657f7b5b267273edf21cc8740d53cf08daab722531534d2f0016acbe5c650e85d7fdf13aefb57964f955da19ee8cb6307f9a6d359f1cc8829b0134fc2f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    129e4f339d65f870eadac774a5a38b55

    SHA1

    52572f74e841d23376a0d91b11fb66a6b14b52e2

    SHA256

    5cb473bf1389b81a54a2ce921a9435441f4c52d1fea9ad9f3e01fe70f57f5c2b

    SHA512

    fc65c6c50483379113a5f559c2753b1ddd8f25ae0b9498b894566918e44fd8b8788efe9e24cad86d005e9be2e69f16adcd5b7c1f137875fd947b44f8b68b1bf6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    615577917b538f1e20f603a0232a0b40

    SHA1

    24f3f0927b949c9255f41bea2b6845d224f14869

    SHA256

    36d831172b8c8ee86d0afc3dc6c4579cbd7427c9b0d38662a119dd13252e8f00

    SHA512

    1628aa0d8e9388dcec01d0fc5c68a049ae4e91b6e6d0563f2fbbbd7ffde60f95b941f6fb24f2daa6aee762152fd88e7f3f8f120f81a70122975799531057e5f2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    37cb0e44b0d3bc2e49565dabc378a73f

    SHA1

    095ea0d9434ab15d27d66949ca3699bbed92e34a

    SHA256

    571c02013b32f9c01e2c7865a1a54403aacf13ad481baafbc8e9feee3e0aed22

    SHA512

    f9918b639c7fed383b66e42b1fe7c67d8fa2c7664d7595872d2ac80ab56f6ccd56f27754e43921c43f1583d79e7b38938b2216885b877578a3549dfc949be6ce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1fdd3f9338b0bf126a603fc790255b4d

    SHA1

    d82eaf84323f3d2ed699702c7ce0ab62e4eeaf62

    SHA256

    8579077c3f119866e00a5b05bd2efe5df0f3f58194b673e4809058d5a59b0b0f

    SHA512

    8f3a492c19b6e1d1beaf98a6ecbc5824128056804180ebc68375295746cacaa8d201c976deb369f42490db8879b61d501d0c13adffe1b2cf57cd380cffbeb79a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c0e8c2ceb172b48d3f4821b8cc7887a5

    SHA1

    bb69b1332806c34cc51c08d3497492496b090996

    SHA256

    e2d74bfd2c61b1dee14396e7077f7c8022befc1f584acb856b29ff73caf4eed9

    SHA512

    80734fc177405563a1949af62119cbd8184360bd91ce8ef5cc37f21db86c8750bcb6edb5d7a2710ba3b3e401701e3867dcc685a11582e1c039ef27a442983d68

  • C:\Users\Admin\AppData\Local\Temp\Cab4F3C.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar4FFA.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\shtjtucrlkrj.exe

    Filesize

    371KB

    MD5

    76b0182e3dc2f368facd1446a78d2ae0

    SHA1

    6e6f6df8ef1a845e335995fbfa48dab3526cea29

    SHA256

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

    SHA512

    e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

  • memory/288-2016-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-2014-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-1262-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-6151-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-49-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-5379-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-6145-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-6134-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/288-6140-0x0000000002C30000-0x0000000002C32000-memory.dmp

    Filesize

    8KB

  • memory/288-6144-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1644-6141-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

  • memory/1732-0-0x0000000000330000-0x0000000000333000-memory.dmp

    Filesize

    12KB

  • memory/1732-14-0x0000000000330000-0x0000000000333000-memory.dmp

    Filesize

    12KB

  • memory/2764-25-0x0000000000400000-0x000000000056E000-memory.dmp

    Filesize

    1.4MB

  • memory/2776-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2776-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2776-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2776-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2776-28-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2776-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2776-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2776-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2776-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2776-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB