ctblocker | 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f

Analysis

max time kernel
150s
max time network
139s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
Size

731KB
MD5

3d9a9103b13744b626e67f5dab6618e7
SHA1

9ad16fb6810dd136985c8a78688b81e275ddf979
SHA256

1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512

b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-ywrfvle.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 2VULOOJ-6IFGMPY-OWH5KS5-ERDO3AU-XXVFM6W-I4UJRAS-355AZD7-2VGIKEG A72Y7BP-P2EKWTU-72XWYTI-YVIO6LK-ZYB2UEM-MOS2GJ4-6S4XDAH-6FULZ3U SKIIUFP-KI7DUM5-QJZ5E5I-32PNAZC-2TLSHUC-PBSSKRL-7CULS6V-H3EMFRM Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\siyrcpf.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

pid	Process
3992	gvpesyf.exe
1996	gvpesyf.exe
1032	gvpesyf.exe
1520	gvpesyf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	gvpesyf.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	gvpesyf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	gvpesyf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	gvpesyf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	gvpesyf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	gvpesyf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	gvpesyf.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-ywrfvle.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3128 set thread context of 2784	3128	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	75
PID 3992 set thread context of 1996	3992	gvpesyf.exe	80
PID 1032 set thread context of 1520	1032	gvpesyf.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2860	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU	gvpesyf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	gvpesyf.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	gvpesyf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	gvpesyf.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\MaxCapacity = "15150"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640030003500630066006300340061002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2784	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
2784	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe
1996	gvpesyf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	gvpesyf.exe
Token: SeDebugPrivilege	1996	gvpesyf.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1520	gvpesyf.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1520	gvpesyf.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3128	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
3992	gvpesyf.exe
1032	gvpesyf.exe
1520	gvpesyf.exe
1520	gvpesyf.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 2784	3128	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	75
PID 3128 wrote to memory of 2784	3128	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	75
PID 3128 wrote to memory of 2784	3128	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	75
PID 3128 wrote to memory of 2784	3128	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	75
PID 3128 wrote to memory of 2784	3128	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	75
PID 3128 wrote to memory of 2784	3128	1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe	75
PID 3992 wrote to memory of 1996	3992	gvpesyf.exe	80
PID 3992 wrote to memory of 1996	3992	gvpesyf.exe	80
PID 3992 wrote to memory of 1996	3992	gvpesyf.exe	80
PID 3992 wrote to memory of 1996	3992	gvpesyf.exe	80
PID 3992 wrote to memory of 1996	3992	gvpesyf.exe	80
PID 3992 wrote to memory of 1996	3992	gvpesyf.exe	80
PID 1996 wrote to memory of 728	1996	gvpesyf.exe	10
PID 1996 wrote to memory of 3016	1996	gvpesyf.exe	23
PID 1996 wrote to memory of 2860	1996	gvpesyf.exe	82
PID 1996 wrote to memory of 2860	1996	gvpesyf.exe	82
PID 1996 wrote to memory of 2860	1996	gvpesyf.exe	82
PID 1996 wrote to memory of 1032	1996	gvpesyf.exe	84
PID 1996 wrote to memory of 1032	1996	gvpesyf.exe	84
PID 1996 wrote to memory of 1032	1996	gvpesyf.exe	84
PID 1032 wrote to memory of 1520	1032	gvpesyf.exe	85
PID 1032 wrote to memory of 1520	1032	gvpesyf.exe	85
PID 1032 wrote to memory of 1520	1032	gvpesyf.exe	85
PID 1032 wrote to memory of 1520	1032	gvpesyf.exe	85
PID 1032 wrote to memory of 1520	1032	gvpesyf.exe	85
PID 1032 wrote to memory of 1520	1032	gvpesyf.exe	85

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
PID:728

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3016
- C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2784

C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
  "C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
    "C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe" -u
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe
      "C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/728-130-0x000000000FA10000-0x000000000FA87000-memory.dmp

Filesize
476KB

Download
memory/1520-147-0x0000000000A80000-0x0000000000CCB000-memory.dmp

Filesize
2.3MB

Download
memory/1996-129-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/1996-128-0x0000000000760000-0x000000000097A000-memory.dmp

Filesize
2.1MB

Download
memory/2784-116-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2784-120-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/2784-119-0x0000000000400000-0x00000000004A4400-memory.dmp

Filesize
657KB

Download