djvu | e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c

Analysis

max time kernel
147s
max time network
139s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/07/2023, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe
Size

852KB
MD5

5d166a4a02e9171036403ac55a524c55
SHA1

a41b406cd89f0690b746c018c0ad7e70c72be734
SHA256

e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c
SHA512

13a7c91163768c3fcae21cceefd71fb74e98371409573c8135cf20093c9da0b41c053ed346d6a6319656e98a8bb325e96cb2873d1589837a87e87853423aa9da
SSDEEP

12288:idpN4ffBNd8S82fNcQsV5VWhXbH7QyKGU1V4WNcqclVUnTO2vE+BynowjPjmz:U6rd8XwWKXbbtK5TcSTO2v9kPjmz

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://zexeq.com/raud/get.php

Attributes

extension
.wsuu
offline_id
7X6susBgNzwvmNWz9bMuyhXEUD44D10UNodg0Zt1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ujg4QBiBRu Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0752Osie

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 16 IoCs

resource	yara_rule
behavioral1/memory/352-122-0x0000000004190000-0x00000000042AB000-memory.dmp	family_djvu
behavioral1/memory/2716-123-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2716-124-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2716-125-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2716-126-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2716-137-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-142-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-143-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-144-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-149-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-150-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-156-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-157-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4796-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2316	build3.exe
4488	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4640	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c198e5db-4807-4575-ba29-18aaa3b3adf3\\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe\" --AutoStart"	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
11	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 352 set thread context of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 1348 set thread context of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3808	schtasks.exe
3900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2716	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe
2716	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe
4796	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe
4796	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 352 wrote to memory of 2716	352	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	70
PID 2716 wrote to memory of 4640	2716	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	71
PID 2716 wrote to memory of 4640	2716	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	71
PID 2716 wrote to memory of 4640	2716	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	71
PID 2716 wrote to memory of 1348	2716	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	72
PID 2716 wrote to memory of 1348	2716	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	72
PID 2716 wrote to memory of 1348	2716	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	72
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 1348 wrote to memory of 4796	1348	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	74
PID 4796 wrote to memory of 2316	4796	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	75
PID 4796 wrote to memory of 2316	4796	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	75
PID 4796 wrote to memory of 2316	4796	e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe	75
PID 2316 wrote to memory of 3808	2316	build3.exe	76
PID 2316 wrote to memory of 3808	2316	build3.exe	76
PID 2316 wrote to memory of 3808	2316	build3.exe	76
PID 4488 wrote to memory of 3900	4488	mstsca.exe	79
PID 4488 wrote to memory of 3900	4488	mstsca.exe	79
PID 4488 wrote to memory of 3900	4488	mstsca.exe	79

C:\Users\Admin\AppData\Local\Temp\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe
"C:\Users\Admin\AppData\Local\Temp\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:352
- C:\Users\Admin\AppData\Local\Temp\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe
  "C:\Users\Admin\AppData\Local\Temp\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\c198e5db-4807-4575-ba29-18aaa3b3adf3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4640
- - C:\Users\Admin\AppData\Local\Temp\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe
    "C:\Users\Admin\AppData\Local\Temp\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe
      "C:\Users\Admin\AppData\Local\Temp\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Users\Admin\AppData\Local\1657eb73-4ec0-42d1-a5c5-001b09ff1fce\build3.exe
        
        "C:\Users\Admin\AppData\Local\1657eb73-4ec0-42d1-a5c5-001b09ff1fce\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3808

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
debbf14f3483068c85dbb41089275387

SHA1
53c67f0496489a8bf83e645035b9e030fe22f052

SHA256
d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd

SHA512
ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
9f4dbb9c92a85c4ef5093a2df64ac230

SHA1
83acdef3b775ddcea8a50a04e8f1e8afaa6e0d22

SHA256
f29be229662b3201af3c58d4fcccb93da75f9cc44a2b7c2e3086302bb2bc1425

SHA512
25a85055583e7d008a25add9d4976e8255b01e2dce1a90b75c63c8eff8ee56a94ef35852210cbec1298fc905325d295c73a78f9a8e85ffdfc98d8a2b0896150b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
b2f468b5d166e27fe74001958325a68a

SHA1
3209c0c8f3d0a9f71714b530c62be041d81d57a1

SHA256
d0641d1cc7f27bc8de4387be0a52fc1992610a2a61b47fd07d455c921d92ef36

SHA512
5c00518baeb1a5c5960b3408d9f182e4dc09e074efccbb2bc71e97640dccc4d80294387a8afbfc7d15106fc772fede0293fa7a4eb2c2e05204d92fa8f60e8b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
82eceb941d12ff1e9d46367c0abb77f3

SHA1
eeb97cc46c429b29bec5677ac536f6380688932f

SHA256
42c6fefedf185f8507eb178ebae3a69f40019e4f31586444ed58c44b82af4754

SHA512
00314f62da3b5267f031aab701c034977e146f5d67022601e1edbea5f91fe1da718c6d79474a53b37e11ed4e4574affd33e8543a74d93c65236d203aa08246f9

Download Submit
C:\Users\Admin\AppData\Local\1657eb73-4ec0-42d1-a5c5-001b09ff1fce\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\1657eb73-4ec0-42d1-a5c5-001b09ff1fce\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\c198e5db-4807-4575-ba29-18aaa3b3adf3\e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c.exe

Filesize
852KB

MD5
5d166a4a02e9171036403ac55a524c55

SHA1
a41b406cd89f0690b746c018c0ad7e70c72be734

SHA256
e515b5cada95af17780c206b00072c6d2b6ba61bf32db667f9d66a4ceb056b9c

SHA512
13a7c91163768c3fcae21cceefd71fb74e98371409573c8135cf20093c9da0b41c053ed346d6a6319656e98a8bb325e96cb2873d1589837a87e87853423aa9da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/352-121-0x0000000002570000-0x0000000002604000-memory.dmp

Filesize
592KB

Download
memory/352-122-0x0000000004190000-0x00000000042AB000-memory.dmp

Filesize
1.1MB

Download
memory/1348-140-0x00000000040B0000-0x000000000414B000-memory.dmp

Filesize
620KB

Download
memory/2716-137-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2716-126-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2716-123-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2716-124-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2716-125-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-156-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-157-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-142-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-144-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-149-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4796-143-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download