Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 22:57

General

  • Target

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe

  • Size

    371KB

  • MD5

    76b0182e3dc2f368facd1446a78d2ae0

  • SHA1

    6e6f6df8ef1a845e335995fbfa48dab3526cea29

  • SHA256

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

  • SHA512

    e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/8113B4449D559D60 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/8113B4449D559D60 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8113B4449D559D60 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/8113B4449D559D60 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/8113B4449D559D60 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/8113B4449D559D60 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8113B4449D559D60 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/8113B4449D559D60
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/8113B4449D559D60

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/8113B4449D559D60

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8113B4449D559D60

http://xlowfznrg4wf7dli.ONION/8113B4449D559D60

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (407) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
    "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
      "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Windows\dakfjprvnatu.exe
        C:\Windows\dakfjprvnatu.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\dakfjprvnatu.exe
          C:\Windows\dakfjprvnatu.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:752
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:772
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:1216
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1236
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:700
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2480
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DAKFJP~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:3000
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2764
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.html

    Filesize

    9KB

    MD5

    347ab51eb34f8c68d813ffb4489b3aba

    SHA1

    5b14b5904ce0b6346d4b68038f45db618c8ebce5

    SHA256

    76283b752b08a3b081494f6a9993748e8c68f4b26817c7a94d5a0b5554474a85

    SHA512

    751852e41fe519e5011c1f8df6d58fe48b0878d1854fcde3fdbda97f0c6dde1a7d1f062483747f03267666f32227b2db989cc4e338a314a9d19794e510b8183b

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.png

    Filesize

    63KB

    MD5

    75eee0569e25e9ae9f452ef29ef0d08e

    SHA1

    29fc0f471596fe2c0cd9cbfa83ebd60f2ba0d9dc

    SHA256

    98f1e93cb96d95013c3d837f568b17c76ac4b7ad99d55bb70777cd305fa21051

    SHA512

    71e62ab4245e08709858763804130884a7aa4edc4de4bd23fc1f6f3f42471e059e5699be8451645b83fc13d1df0c1b13fce13bf88dd1db9128753a07790dd05e

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.txt

    Filesize

    1KB

    MD5

    de745cf681a6d79663d1a122cd2a8e56

    SHA1

    eb28f46e53c30246a2c7513d38e717e506816a11

    SHA256

    73d7ce7b5e4da05cc56e4a6199cd9b5254c9d415bde40111209fad5892353bc2

    SHA512

    91f8465b1965ff0de69cb153e42f0e5345641e0e6f2fed6cbaef94f80d03e6807817d5040073176792b0956a1e91d79ba72a18b49308ac7c142a4474092f5754

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    2ed304b9347d3f41c4ccc6542e3c2461

    SHA1

    306742e1b8628df74f3f226e2b07fb89747b9674

    SHA256

    3ecb17e7a85c8e92d8dc7348c4cff032aef746b3ba3ec0a823eb94374e6a51ce

    SHA512

    b85c56bef0ec8184c97dce42b7a13478f048f082475105f98290849d3b211d536105ad2d33c0cc4db49e75734fa3ca3144e532bbde80671a6945e7c7db1f90b3

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    d9960cad9463342570a870740e49ae89

    SHA1

    a5e41c3662b8ced534d74b2993f060b35b937875

    SHA256

    1f8c5994dd63eadd802bdd9b191e0e457e42f68d78edd27414cb9f001dbf32d0

    SHA512

    cce443884ad552724ecd179955dfe3d30bd6670933c36509d4ab25b0e8fe50a0334c8364107f9045ebc3df5417b4e092d30e85b58c99beeaf866b4547626ecfc

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    85700501b4b9adb4eabbf7968085fbc8

    SHA1

    e102152df4c3cbd3204c8393f2bcb8b777555239

    SHA256

    de88c50036f8443a4b829f7d43c01a4af29b8e53f4f684174d827de9edd4bb2c

    SHA512

    4da822de7edeb78b9993908b7f3fec4e28c420ea2ea27fdfa0f21c246ee2e78ebd4c27467684c45ef0eca65823a2904507344c414fcf020d8e01ffed26ba58c1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3b2d6281fdea7dbd078ddb77b6260a7a

    SHA1

    1a2fde30593cdb59d158854625d2c255c2af29de

    SHA256

    d32aed0b40b292a7c3d4b1f68466b3d1afe8d37cc4ebdd9d83927591aff7009d

    SHA512

    a9a23e0e24f41c5195646e84e5f4608b24ba365ff6344cec0add84f28bac3909a32ecfddd0fbe0d78cdde6d1c940b4c19d4dc085a19a9c0c97a977052528b841

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    90fa67d36864c25a3e6b4132d064240e

    SHA1

    d3dd8a757eb161a461d1529fed58d39c0445c6e2

    SHA256

    9d47cdab46524d5871983a28dbf1241f6a7dc7e887c94f77b11d02d4e045da8b

    SHA512

    0bd9ee52185f08827dcea291a12f145e6318404e49bab910b373d7177842840c9802e491de039b7c2f59a0f7f325b5c9ba5a9e47a4898cc039ffb39650adc95f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c32e964daa07f70624181205b53b2c0d

    SHA1

    ccd82d9631adba2a1060210f5a1bed27b1ac0a45

    SHA256

    f3dcecd31d5eedb15894cc5e539331e94830206baf634b8ca5f0e257e2c9eea5

    SHA512

    98148fd4d666e0c7b7911ced82f82df13c794720f27e80c510097b170a9fdbc169c5a8eb3bc4f452fafb430a3d7e2a59e83487dbbbee25380f60956d85e6fac5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5f43033b87140b0faba2252c29ebd98a

    SHA1

    96481ebab856993aa9a885b6d74f04ed2f997ad9

    SHA256

    54565f5f656be7e9db66894ec98de03cd980f77af7bb5c5dc5002188884af2fb

    SHA512

    a34b9f1883ff16bd3122363839176853ab1e32aaa22ce812c8e1c2b3a70be15de91b0daacd4780a54a344b7fb6b1ba0f439201fb301cc335b65d216c5474896b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b7ecf78338fd0b503709287af1e9c4de

    SHA1

    1507ba155360fe4ac59b2f49697b3acec90bd215

    SHA256

    bed0be7c3328c4a242438ff9f682bb8b9ac6b9155e1387d8b4a94f9f7a012f3f

    SHA512

    211bb7213c74f0b212ef4b8690ec2798459fe4d32ef1bfdaba9111ad679be75ac674ce2875e660d3ddec7395353477ccf1b6ba2373f7dd55ec589f7833613570

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    091cc3b2208570ad28e93e836325d62e

    SHA1

    3a3da77f14747f5d486aa924e9802afb06d2897e

    SHA256

    649428e555f253aa92af7bcb4285ea197483bcd738a31ad87ec3617a91b7ee19

    SHA512

    dba0658e4c5ecb97771758bc390af455b383fb5ab5c2642404b94f362f1732fed36e4426c0bba3fc9e7f6ed70efcce362c775a4ea23038be0e1d33dda3e186fc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    46c9525f92fe3d3b28e8e467157a4318

    SHA1

    b65c4742f03b3d875a92a6e62f4377ba860c4e2f

    SHA256

    9fdee33d38a4156441206fd91b6fc2a24a5c8ec13ddb2223628a097713be98ea

    SHA512

    47b0ab0431e005f952e82b95adfd62089fb567cc83b2f5efb0670f79d00fd055421ab4be35a72cbb13528379be519523dffbcd799db8bf81022e89194791dc99

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1b4cc935f67631453d9aec838ceed3e5

    SHA1

    f4b8b6a9125a71b0f5d02f76f7811ebbe3447394

    SHA256

    7e1386a51a61b2bd4cd77a26f6af89a56078d878a89f1f5af3b910e7b5a53558

    SHA512

    d53f7be6600df58498ed33be2349efa3d952823dc603171d46045b552045e1c159fe64c3abfa57d81c42f12c88c9175189680d7b48a5e0ac59668a9eb67d4c5f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b8833f2fd4eb1a409ce845f3c6f476f4

    SHA1

    fdc5873dfec46b5d84b088ce40135eb6e555c1b6

    SHA256

    b33ce8c02dceb67d083c91785812f4a15aedfad2548aff5223776d6a59af0e35

    SHA512

    ed559fb7844bd7dcc32b6906e73bd30028e54c5edc3f0c3fb8f36244dca0f17f897fea18415f47d60120be9278d8b48e2ba78255813e17926f4e28b39787ecd5

  • C:\Users\Admin\AppData\Local\Temp\Cab3B1E.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar3BDE.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\dakfjprvnatu.exe

    Filesize

    371KB

    MD5

    76b0182e3dc2f368facd1446a78d2ae0

    SHA1

    6e6f6df8ef1a845e335995fbfa48dab3526cea29

    SHA256

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

    SHA512

    e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

  • memory/752-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-5228-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-1494-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-1970-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-6081-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-1971-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-6090-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-6072-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-6078-0x0000000002BE0000-0x0000000002BE2000-memory.dmp

    Filesize

    8KB

  • memory/752-6087-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/752-6082-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-27-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1296-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1296-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/1968-6079-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

  • memory/2384-14-0x00000000002A0000-0x00000000002A3000-memory.dmp

    Filesize

    12KB

  • memory/2384-0-0x00000000002A0000-0x00000000002A3000-memory.dmp

    Filesize

    12KB

  • memory/2784-28-0x0000000000400000-0x000000000056E000-memory.dmp

    Filesize

    1.4MB