globeimposter | e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40

General

Target

e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
Size

53KB
MD5

d4bf96eb8a93925506d8f4dac73ecf62
SHA1

a28000fefa83464b599905e3553a6e6a25034519
SHA256

e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40
SHA512

26149702e6450579187f1fb31cc340b3d82cb78ed0dc8ed278778f64662a3bcd0f98c5edcae99d869461d57340e84196907c5fddc04d9c4e571cd4dba7004dc3

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note

<html> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>��5D A8 12 1A 16 33 AE A8 7F C4 9E D2 C7 C0 F8 7A 42 F7 BC F9 D5 FD 1C 6D DD 2B 3C C4 ED 88 BA 9E 71 51 47 10 8C 12 02 59 CF A6 F7 D5 14 33 B0 26 92 CA FC 2D 38 E0 93 46 85 29 FB 0C D6 8F 47 E3 A6 BA AC 8F AD 45 B2 3D 83 26 37 1D 6B 10 BB B9 FF BD 26 4F 7C 25 4E BC 9A DE 46 32 C1 64 7D 8E 56 D5 2C D2 A5 B0 43 49 CF E8 5C 50 FE B1 4C B9 3F 1F FA CC C0 76 A8 C4 ED 4F 43 D8 52 80 13 6A CE AE 3A BE 7E A1 07 17 FE 2D 10 D2 95 54 56 38 AA 1D 18 29 7D 36 F3 83 FD 29 E7 A1 1D 53 0F 53 3F 86 25 E3 97 19 64 A1 4B 5F A4 27 2C 73 A5 24 1F CB 14 40 B4 C3 8D E6 0D 6E D7 D5 42 7F 5B B3 27 90 0F 37 77 9B F0 11 A8 84 BA FB E4 32 D8 2C 2D EB 88 55 6D 8B 16 49 DA A2 7E B9 CF FD 83 E8 83 90 FD 59 14 F9 B6 38 48 91 E6 A1 41 CE 28 23 A8 B0 64 9F 2C 33 01 99 B5 DA 07 A4 8E 35 EF BF </pre> </div> </div>  <div class="tabs">  <div class="tab"> <div class="bold"> <div align="left">Your important documents, databases, programs, saving games, documents, network folders are encrypted for your network security problems.</div> </div> <div class="bold">No data from your computer was not stolen or removed.</div> <div class="bold">To restore your files, follow the instructions.</div> <div> <h2 align="left">How to get the automatic decryptor:</h2> <div class="bold" align="left">1) Create a Wallet and buy Bitcoins </div> <div class="note xx"> <div align="left"> </div> <div align="left"> <strong>Create Bitcoin Wallet of these sites:</strong> </div> <li><strong>https://blockchain.info/wallet</strong></li> <div align="left"> <strong>Buy BTC on one of these sites:</strong> </div> <div align="left"> <ol> <li><strong>https://localbitcoins.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>https://www.bestchange.com</strong></li> </ol> </div> <div align="left"> </div> </div> </div> <div> </div> <div class="bold"><p>2) Contact us by email : <span class="mark">[email protected]</span>. and <span class="mark">[email protected]</span> In the letter include your personal ID (look at the beginning of this document)</p> </div> <div class="bold"> <p>3) After answering your inquiry, our operator will give you further instructions, which will be shown what to do next (the answer you get as soon as possible)</p> <div class="bold"> </div> <div><p>* To be sure in getting the decryption you can send 1-2 encrypted files to <span class="mark">[email protected]</span> In the letter include your personal ID (look at the beginning of this document).</p> </div> <div><p>** Write here on the mail for a faster response [email protected] <div class="note alert"> <div class="title">Attention!</div> <ul><li>Do not attempt to remove the program or run the anti-virus tools.</li> <li>Attempts to self-decrypting files will result in the loss of your data.</li> <li>Decoders are not compatible with other users of your data, because each user's unique encryption key.</li> <li>We are not liars or cheaters. You pay - we help.</li> </ul> </div> </body> </html>��

Emails

class="mark">[email protected]</span>

[email protected]

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3496 created 1432	3496	WerFault.exe	101

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConnectResolve.tiff	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe"	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe

Drops desktop.ini file(s) 21 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4952	1432	WerFault.exe	101

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2688"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2688"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2688"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4952	WerFault.exe
4952	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3328	svchost.exe
Token: SeCreatePagefilePrivilege	3328	svchost.exe
Token: SeShutdownPrivilege	3328	svchost.exe
Token: SeCreatePagefilePrivilege	3328	svchost.exe
Token: SeShutdownPrivilege	3328	svchost.exe
Token: SeCreatePagefilePrivilege	3328	svchost.exe
Token: SeSecurityPrivilege	3556	TiWorker.exe
Token: SeRestorePrivilege	3556	TiWorker.exe
Token: SeBackupPrivilege	3556	TiWorker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1432	SearchApp.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 1432	3496	WerFault.exe	101
PID 3496 wrote to memory of 1432	3496	WerFault.exe	101

C:\Users\Admin\AppData\Local\Temp\e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
"C:\Users\Admin\AppData\Local\Temp\e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1432
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1432 -s 4396
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1432 -ip 1432
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3328-130-0x00000268145A0000-0x00000268145B0000-memory.dmp

Filesize
64KB

Download
memory/3328-131-0x0000026814B20000-0x0000026814B30000-memory.dmp

Filesize
64KB

Download
memory/3328-132-0x0000026817220000-0x0000026817224000-memory.dmp

Filesize
16KB

Download
memory/3356-135-0x000002BBCFA00000-0x000002BBCFA04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing