djvu | b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61

Resubmissions

04-06-2021 01:54

210604-q1mqz6zlf2 10

03-06-2021 12:45

210603-5fgyg6535j 10

Analysis

max time kernel
551s
max time network
545s
platform
windows10_x64
resource
win10v20210408
submitted
04-06-2021 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

570fbe91fdd6d1eb8cfd2f03c032cdde.exe
Size

872KB
MD5

570fbe91fdd6d1eb8cfd2f03c032cdde
SHA1

59d07617c682fed330d82b1d97f1bf32c30c6ff1
SHA256

b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61
SHA512

e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note

ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-B0FsLNO3fN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0300ewgfDdLQbDo3EfIVHxGuJOWRJdmxgY66rD6kiyqz4tzyt1

Emails

[email protected]

URLs

https://we.tl/t-B0FsLNO3fN

Signatures

Detected Djvu ransomeware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2676-114-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2676-115-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/656-116-0x0000000002420000-0x000000000253B000-memory.dmp	family_djvu
behavioral2/memory/2676-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1992-122-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/1992-124-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2068-127-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/2068-130-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/648-133-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/648-136-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Executes dropped EXE 4 IoCs

Processes:

570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe

pid	Process
3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
2068	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
648	570fbe91fdd6d1eb8cfd2f03c032cdde.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

570fbe91fdd6d1eb8cfd2f03c032cdde.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\WaitPop.tif => C:\Users\Admin\Pictures\WaitPop.tif.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File renamed	C:\Users\Admin\Pictures\CompareRevoke.tif => C:\Users\Admin\Pictures\CompareRevoke.tif.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File renamed	C:\Users\Admin\Pictures\MergeSearch.tiff => C:\Users\Admin\Pictures\MergeSearch.tiff.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File renamed	C:\Users\Admin\Pictures\MergeTrace.raw => C:\Users\Admin\Pictures\MergeTrace.raw.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File renamed	C:\Users\Admin\Pictures\OptimizeApprove.png => C:\Users\Admin\Pictures\OptimizeApprove.png.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File renamed	C:\Users\Admin\Pictures\UnlockTest.png => C:\Users\Admin\Pictures\UnlockTest.png.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File renamed	C:\Users\Admin\Pictures\ClearConvertFrom.tif => C:\Users\Admin\Pictures\ClearConvertFrom.tif.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File renamed	C:\Users\Admin\Pictures\EnableUnlock.crw => C:\Users\Admin\Pictures\EnableUnlock.crw.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File opened for modification	C:\Users\Admin\Pictures\MergeSearch.tiff	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
File renamed	C:\Users\Admin\Pictures\ShowDisconnect.tif => C:\Users\Admin\Pictures\ShowDisconnect.tif.paas	570fbe91fdd6d1eb8cfd2f03c032cdde.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
3380	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

570fbe91fdd6d1eb8cfd2f03c032cdde.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\\570fbe91fdd6d1eb8cfd2f03c032cdde.exe\" --AutoStart"	570fbe91fdd6d1eb8cfd2f03c032cdde.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	api.2ip.ua
12	api.2ip.ua
17	api.2ip.ua
23	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe

description	pid	Process	procid_target
PID 656 set thread context of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 200 set thread context of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 3720 set thread context of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 1812 set thread context of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe

pid	Process
2676	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
2676	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
1992	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
1992	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
2068	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
2068	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
1992	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
1992	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
648	570fbe91fdd6d1eb8cfd2f03c032cdde.exe
648	570fbe91fdd6d1eb8cfd2f03c032cdde.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe570fbe91fdd6d1eb8cfd2f03c032cdde.exe

description	pid	Process	procid_target
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 656 wrote to memory of 2676	656	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	76
PID 2676 wrote to memory of 3380	2676	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	78
PID 2676 wrote to memory of 3380	2676	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	78
PID 2676 wrote to memory of 3380	2676	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	78
PID 2676 wrote to memory of 200	2676	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	79
PID 2676 wrote to memory of 200	2676	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	79
PID 2676 wrote to memory of 200	2676	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	79
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 200 wrote to memory of 1992	200	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	81
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 3720 wrote to memory of 2068	3720	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	83
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86
PID 1812 wrote to memory of 648	1812	570fbe91fdd6d1eb8cfd2f03c032cdde.exe	86

C:\Users\Admin\AppData\Local\Temp\570fbe91fdd6d1eb8cfd2f03c032cdde.exe
"C:\Users\Admin\AppData\Local\Temp\570fbe91fdd6d1eb8cfd2f03c032cdde.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\570fbe91fdd6d1eb8cfd2f03c032cdde.exe
  "C:\Users\Admin\AppData\Local\Temp\570fbe91fdd6d1eb8cfd2f03c032cdde.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3380
- - C:\Users\Admin\AppData\Local\Temp\570fbe91fdd6d1eb8cfd2f03c032cdde.exe
    "C:\Users\Admin\AppData\Local\Temp\570fbe91fdd6d1eb8cfd2f03c032cdde.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:200
  - - C:\Users\Admin\AppData\Local\Temp\570fbe91fdd6d1eb8cfd2f03c032cdde.exe
      "C:\Users\Admin\AppData\Local\Temp\570fbe91fdd6d1eb8cfd2f03c032cdde.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Modifies extensions of user files
      Suspicious behavior: EnumeratesProcesses
      PID:1992

C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe
C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe
  C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2068

C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe
C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe
  C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SystemID\PersonalID.txt

MD5
c9141abc06f106bb6d58deb107253ac0

SHA1
8c748834dc38500d3632e3b6428977b02a6c8b84

SHA256
3d7cc5c63e5ac14b56e12c37ffa484eb9c4c3c28f89f36579d1d02da2433b0a2

SHA512
f01916ded59752b7ad45df8e2c83e9a809b0fd1de8f17863c973f9139ba4e4ac18aedef97c196ad782a6e733faafd9fcdd5447c82ec71676deb0f1d86097d203

Download Submit
C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe

MD5
570fbe91fdd6d1eb8cfd2f03c032cdde

SHA1
59d07617c682fed330d82b1d97f1bf32c30c6ff1

SHA256
b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61

SHA512
e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6

Download Submit
C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe

MD5
570fbe91fdd6d1eb8cfd2f03c032cdde

SHA1
59d07617c682fed330d82b1d97f1bf32c30c6ff1

SHA256
b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61

SHA512
e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6

Download Submit
C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe

MD5
570fbe91fdd6d1eb8cfd2f03c032cdde

SHA1
59d07617c682fed330d82b1d97f1bf32c30c6ff1

SHA256
b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61

SHA512
e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6

Download Submit
C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe

MD5
570fbe91fdd6d1eb8cfd2f03c032cdde

SHA1
59d07617c682fed330d82b1d97f1bf32c30c6ff1

SHA256
b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61

SHA512
e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6

Download Submit
C:\Users\Admin\AppData\Local\6dcb6942-e898-4cf4-bddf-e65f9bd9c6b2\570fbe91fdd6d1eb8cfd2f03c032cdde.exe

MD5
570fbe91fdd6d1eb8cfd2f03c032cdde

SHA1
59d07617c682fed330d82b1d97f1bf32c30c6ff1

SHA256
b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61

SHA512
e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6

Download Submit
memory/200-120-0x0000000000000000-mapping.dmp

Download
memory/648-136-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/648-133-0x0000000000424141-mapping.dmp

Download
memory/656-116-0x0000000002420000-0x000000000253B000-memory.dmp

Filesize
1.1MB

Download
memory/1992-122-0x0000000000424141-mapping.dmp

Download
memory/1992-124-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2068-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2068-127-0x0000000000424141-mapping.dmp

Download
memory/2676-114-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-115-0x0000000000424141-mapping.dmp

Download
memory/3380-118-0x0000000000000000-mapping.dmp

Download