Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 10:31

General

  • Target

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe

  • Size

    371KB

  • MD5

    c192a273a786b569df2056914faf8327

  • SHA1

    87f24f470d678deae2cade1d3fd12255e796c091

  • SHA256

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

  • SHA512

    8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/7D9EEAD73E82E178 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7D9EEAD73E82E178 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7D9EEAD73E82E178 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/7D9EEAD73E82E178 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/7D9EEAD73E82E178 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7D9EEAD73E82E178 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7D9EEAD73E82E178 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/7D9EEAD73E82E178
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/7D9EEAD73E82E178

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7D9EEAD73E82E178

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/7D9EEAD73E82E178

http://xlowfznrg4wf7dli.ONION/7D9EEAD73E82E178

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (407) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
    "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
      "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\dakfjprvnatu.exe
        C:\Windows\dakfjprvnatu.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\dakfjprvnatu.exe
          C:\Windows\dakfjprvnatu.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2624
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2484
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:1968
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:960
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:612
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DAKFJP~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2940
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.html

    Filesize

    9KB

    MD5

    6e98ff45af9debf65e650c57264b57dd

    SHA1

    3683a07bfb4c8a6e22b6c48f34638df4689c39cc

    SHA256

    7a40c5faa97ff9711bbc04f1a3e599feba2acd7463750cfc37672fabb977908c

    SHA512

    119759b74cc0d5fcbf74098d5987526ace8cc17d6a2dc1200e64db8d52b0448be89282fa4c56b132fc93d25db208d994f7fd136f1a3d8069a36dec802f7c2d6b

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.png

    Filesize

    63KB

    MD5

    5507478787300d5792e4acc0c9109eb1

    SHA1

    97bd372bd1f8541fa7c2d41ec09a941d5fb2e4bc

    SHA256

    1a60ea2a52068d34c2b85f5c89c382d2707633a8489e194ca34c5e22cb703d2c

    SHA512

    15cbe3a4a933cdb92904455486d4dd638f36f5a0068960b7c88f768d8fbfcd8fc171eae52a8d09ed98e6e9b7b5bd7c699e6ca7c2cbd97c3f048f72db92ba944e

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+iwxag.txt

    Filesize

    1KB

    MD5

    8cedab90a35f61beb9ed807d7beb3933

    SHA1

    d96b5dd1da396ad1c68a0089ae03486dd6f45549

    SHA256

    628f79a04ecc08c8e5980fa18fa0bdd00b2e18bd21c6ee58a2d194747c38a4f2

    SHA512

    56b6f5f710acc66c753a17c00e989031235b988c463c91d9792e99ab191b9d79caa89c78ed873b78de6bfe71d651c72f9d835c1ec78e96d21cc917e25690ec8a

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    08b38ddfb697c96a1db6954227a8a071

    SHA1

    4d6aa353f1c02317c0e6bdee72daf0ad5cfb4eff

    SHA256

    8075f164169a0cc585509413ab5c572fa7ffb4fcb87d4be681136333a5fe8cf0

    SHA512

    c4749c85df8391bfaa6274436d1d6e108c4ca7914430d87226b94011636b9307d75edd7ea8631ca444ee58e1034c16523637333cefbf758d91f1411e8b1b1507

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    26de235f316342e366b49325832bb4ff

    SHA1

    cb1d5836da5455bb5d9e1aa679773e93ad039250

    SHA256

    634a4b7f056e13aab793e2c7b97bf207ec769bdcf86cd80c6e3a418565405083

    SHA512

    50762ea167743e0a88eee8f320c05870bde779521a249ef7fcd8950cb57363f83c621916acc19e567fbd150291ee4a9365717b3e913c3e11fed30789a0402486

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    55c7030e0c3e8b833d1856666ecc8f47

    SHA1

    6451c3dd5534c055772d713e3583ccfb0a6899ea

    SHA256

    bfeac4a036d4026b22539102ced8fc90e58834110d43e43c6216ec328b1d4ff0

    SHA512

    6d57fd415756a77fe5e0c137750adb6f71ea40ffacf2582330f7cce1eecb6385446ddb06a7799f5f39654efef10469265be8650954f93fdbadcf3c05e39e2e67

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fe435f082a4419d0e289e1ddbcd2733d

    SHA1

    2b47bba86440e8ef6f139285e05ca5e6f1cee2de

    SHA256

    de4ba4a8e4d6c4af20ea8da04c81ba9f566683cebcbb7143cd1f2f82dc5f7d3d

    SHA512

    917a77440cff07e3e97f6eaa20756eb29adedb400d7fe63a390ea877e817ad5b3b50d447f98dafbd43a3d68c29ba4721be3f3c45f11fa8accdfae6fae700a1b8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d1ca8c59d324ccba7d577bee0a2c31b0

    SHA1

    64b9dd540926650a50f628f96883509643bb7fc1

    SHA256

    da9289b38e518e97e1a43595f3bdcb216ad4fa3ad613bf662e88a7834e59b777

    SHA512

    69c06a1835e233b8b1115cbd03b96946553d45503c10555d00c80e551b995f31ed7ee7046e5c4e69eccf6b6151b916eae29d603f7c2ab7c11912b7978b28c730

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a708888e6d6ef7dae59442628c1eb058

    SHA1

    5664d3e1ba29bfce199cd971c1eda6893f2f9ff5

    SHA256

    55eefe3713f72c1a82874d6c8fb311bee4dccbf82f0f50d58da15fba1cd5eb75

    SHA512

    7657ae1c3d587a79b6cf5401bca5dcb2b6514c9d245ea7a0cc8881efd54cd6c0a20c7bb5ce9fd4ce60ca6d1e48b92c9a5f2df59d4071a298c47909d430fa8533

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3c683d9d3d5be5cd8698d80a5f6dce48

    SHA1

    c3623b1a4c3ad759b170743964ba8cb87601fe51

    SHA256

    baa711998e653c53ee4bbfbcab91d98927f113c4647f20cd6c6660016a28142c

    SHA512

    e28c0216718b85907178e02424913f770d353bf90ffff52b9bd1bf9901342f6fda94ac2fc34c4c6781b002526a4c4d6f5ed3bd0939eb6d79d4a8a90b29173f35

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ff22968790aeb64a3eaba63f859e468c

    SHA1

    cab1fea81419de44a22ebd299eb319470ea0048f

    SHA256

    050675599a0c07b2036e550503bbf21d5f570d3b6732a0e995db47a8ddfd53ab

    SHA512

    50f740c65f4deb346c392f9c72daeaa6411bcccc021d9ab574f26588786824e5fadfc9fce652911730d391d110307a9747ca1a92db1b634b0b942c09b66c7372

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1925c14efedf21a4ab81cf38facda4d1

    SHA1

    f245045410e823f3f413c388dd89491ec871efc2

    SHA256

    e1f73bc87f8bf05099b1408c3b9c230d58add1d5790ac7b4ab85fe7dd7a16199

    SHA512

    3f0e491be742cc5963fa6c7f2ba90400bf889d55e235a25cb48a2803a00d8af2d0ce4cac5390d2bd2247e47e968165c5893f75634dcad67453a2890b8e5549cd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    38eb8cafb48b37771efe15f871eda110

    SHA1

    612b56cbef014deae5a96098350b4a72d00cf7fb

    SHA256

    d8f447594ce722412057031149c3f1f0b920f13daa5e01251661809063a85f1b

    SHA512

    7e4bb3846ad308f7efcc09cdc41b9e39c741aedb537fa3337f7f66e88dad9e3a682c7bfc4c675228eb5eac9a9418c5562db9d4fb501e9785419169d881a5ee44

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    60f8851c6feef5698cfe6b41d424a0be

    SHA1

    1d25e5f5d7599398174353e335d46dd396ba0cd6

    SHA256

    dcc2c2ca81a45ee891b14b53e65c46016b69e0ef6c401f1b57467a88d20156bb

    SHA512

    ec0e83fa31efab6746b2ff2da3ff79b9de0622eac6e0f304698120194caf393c94f7421f1d9588f7d7582c6ef056575a2de23bbd125882f424dc91247d662bec

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a9458d1cc26cd9fd9628b986918f947d

    SHA1

    d26c44e91741042ce43243a60dc1410f1663f922

    SHA256

    34624ea4414dce88fb05f565395ba4fdc38e1e7c6efb1f4ffc79c0bbb866ffae

    SHA512

    5361553bbfd9881dee0adc27101d48988eb3df4188809e670640ab35a08e0719583740b8a81ddc15c7f8a9be60f73460dd3610284cf81810f9a7d7889605e489

  • C:\Users\Admin\AppData\Local\Temp\Cab3851.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar3910.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\dakfjprvnatu.exe

    Filesize

    371KB

    MD5

    c192a273a786b569df2056914faf8327

    SHA1

    87f24f470d678deae2cade1d3fd12255e796c091

    SHA256

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

    SHA512

    8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

  • memory/1868-6079-0x0000000000130000-0x0000000000132000-memory.dmp

    Filesize

    8KB

  • memory/2524-14-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

  • memory/2524-0-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

  • memory/2624-1940-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-5388-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-1500-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-1944-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-6072-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-6078-0x0000000003DA0000-0x0000000003DA2000-memory.dmp

    Filesize

    8KB

  • memory/2624-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-6081-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-6082-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-6089-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2624-6086-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-4-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2852-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-27-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2852-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/3016-28-0x0000000000400000-0x000000000056E000-memory.dmp

    Filesize

    1.4MB