xorist | 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901

Target

3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
Size

583KB
MD5

74d4e0e6dcf5cc7942c35e630036af0c
SHA1

c7c4bb3907344aed022d181eb73f8fd812e06f88
SHA256

3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901
SHA512

110bb901dacc153fb484673fd033d2c0f9a3f7cbfd73a46f54c44c1f699796844b68db5a860cbbb5be08c03f4ad9dfcd25feb71fc8a9b37445e137a002e6a8eb

Score

10^/10

xorist macro macro_on_action persistence ransomware upx

Malware Config

Signatures

Detected Xorist Ransomware 4 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130ee-8.dat	family_xorist
behavioral1/files/0x00040000000130ee-9.dat	family_xorist
behavioral1/files/0x00030000000130f5-14.dat	family_xorist
behavioral1/files/0x00030000000130f5-17.dat	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Executes dropped EXE 3 IoCs

pid	Process
1996	javas.exe
1988	javas2.exe
1892	asat2.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x0002000000011052-43.dat	office_macro_on_action

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00040000000130ed-4.dat	upx
behavioral1/files/0x00040000000130ed-5.dat	upx
behavioral1/files/0x00040000000130ee-8.dat	upx
behavioral1/files/0x00040000000130ee-9.dat	upx
behavioral1/files/0x00030000000130f5-14.dat	upx
behavioral1/files/0x00030000000130f5-17.dat	upx

Deletes itself 1 IoCs

pid	Process
1300	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe"	javas.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	javas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	javas2.exe
File opened for modification	C:\Program Files\desktop.ini	javas2.exe
File opened for modification	C:\Program Files\desktop.ini	javas.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	javas.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar	javas2.exe
File created	C:\Program Files\Common Files\System\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\kn.pak	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	javas2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	javas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata	javas2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ca.pak.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ja.pak.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	javas2.exe
File opened for modification	C:\Program Files\CloseUnlock.i64.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar	javas2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan	javas2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv	javas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	javas2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	javas.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	javas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3	javas2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	javas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar	javas2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF	javas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	javas2.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT	javas2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	javas2.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	javas2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr	javas2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	javas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	javas2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti	javas2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "PJVOKWEVLGZLZWN"	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe,0"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "YYCMXMJNMOUGWFB"	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\ = "CRYPTED!"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\ = "CRYPTED!"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe"	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "QTWVCXAHKDHGIML"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\ = "CRYPTED!"	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe,0"	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe,0"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe"	asat2.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
268	PING.EXE
2384	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1996	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	26
PID 240 wrote to memory of 1996	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	26
PID 240 wrote to memory of 1996	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	26
PID 240 wrote to memory of 1996	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	26
PID 240 wrote to memory of 1988	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	27
PID 240 wrote to memory of 1988	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	27
PID 240 wrote to memory of 1988	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	27
PID 240 wrote to memory of 1988	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	27
PID 240 wrote to memory of 1892	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	28
PID 240 wrote to memory of 1892	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	28
PID 240 wrote to memory of 1892	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	28
PID 240 wrote to memory of 1892	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	28
PID 240 wrote to memory of 1300	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	29
PID 240 wrote to memory of 1300	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	29
PID 240 wrote to memory of 1300	240	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	29
PID 1300 wrote to memory of 268	1300	cmd.exe	31
PID 1300 wrote to memory of 268	1300	cmd.exe	31
PID 1300 wrote to memory of 268	1300	cmd.exe	31
PID 1300 wrote to memory of 2384	1300	cmd.exe	32
PID 1300 wrote to memory of 2384	1300	cmd.exe	32
PID 1300 wrote to memory of 2384	1300	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
"C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240
- C:\Users\Admin\AppData\Local\Temp\javas.exe
  "C:\Users\Admin\AppData\Local\Temp\javas.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\javas2.exe
  "C:\Users\Admin\AppData\Local\Temp\javas2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\asat2.exe
  "C:\Users\Admin\AppData\Local\Temp\asat2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:268
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-0-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/240-1-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/2220-3769-0x000007FEF6400000-0x000007FEF667A000-memory.dmp

Filesize
2.5MB

Download

Resubmissions

Analysis

Sharing

General