Overview

overview

10

Static

static

3

VirusShare...6e.exe

windows7-x64

10

VirusShare...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_3b240ca653bd5467b19e195889c07c6e.exe

  • Size

    369KB

  • MD5

    3b240ca653bd5467b19e195889c07c6e

  • SHA1

    bfb732fd34099fb9f4467cfab185a4bf3bb28e95

  • SHA256

    62aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6

  • SHA512

    32242830aaf7fee32d16e86da4d602640fd360f24ae309bc5391c130ca384b951ac97f9ecc1f596bd7c7b3933c589dbd87ee872b4dfd8cda62835143e04e0296

  • SSDEEP

    6144:fo07Ev9jgh+J0J+l/moekR1MlvlMa0FIe03ncsCMYZx/FqDN6TETpspvQrMX1r9:ftQVG+JIe/mGzMNlMVFC3Xi/YwOi

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+xcmab.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/49783B907533E6 2. http://tes543berda73i48fsdfsd.keratadze.at/49783B907533E6 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/49783B907533E6 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/49783B907533E6 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/49783B907533E6 http://tes543berda73i48fsdfsd.keratadze.at/49783B907533E6 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/49783B907533E6 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/49783B907533E6
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/49783B907533E6

http://tes543berda73i48fsdfsd.keratadze.at/49783B907533E6

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/49783B907533E6

http://xlowfznrg4wf7dli.ONION/49783B907533E6

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (425) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_3b240ca653bd5467b19e195889c07c6e.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_3b240ca653bd5467b19e195889c07c6e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_3b240ca653bd5467b19e195889c07c6e.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_3b240ca653bd5467b19e195889c07c6e.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\ajtoweqsyjej.exe
        C:\Windows\ajtoweqsyjej.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\ajtoweqsyjej.exe
          C:\Windows\ajtoweqsyjej.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2260
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1852
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:1432
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2248
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2556
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AJTOWE~1.EXE
            5⤵
              PID:2672
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
          3⤵
          • Deletes itself
          PID:2332
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+xcmab.html
      Filesize

      11KB

      MD5

      848a8e0272c9173731c7a9511267d2b1

      SHA1

      97f2d3cc100a29106e5078fc0a76d70e6cd6b6d4

      SHA256

      a0e4ba1696ed3f6b0a2d6239747ee62576e41dc2f7b2fdd9e18db40ce16776f2

      SHA512

      f32aeb19e5e577ec53b19c3f7e6c05d6734773a9ab7b4605af905d90d263747c4fcbf58a98c910a019d12579ac5372e5f200d0b39c1e0f9f13ea1737e1f110bf

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+xcmab.png
      Filesize

      62KB

      MD5

      0fa7e710d54aa148ee4b83b255e0c5eb

      SHA1

      fa6e891cf31ace1f834a6037824ca191e0b89525

      SHA256

      32f0b0287254edacf25d0a428aae6d177619d1f8e0032d015b8ee7cf6a29dee4

      SHA512

      7e94a96d5e082c82ed0ab79d66e6628827e3144b51a74d890f7c1ca5c9a4fb6adbfaf0a2516ed50f6b2700da4f1131b6747260170eec80777af39eb4b5392ea6

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+xcmab.txt
      Filesize

      1KB

      MD5

      992cdbc7cbd61e86717df91b68c5117a

      SHA1

      2f6b2a07b7c001f5e0585539430be6ea40dd5a44

      SHA256

      4265200c8101f5a6fe2f5cd941eaade8fcc86c18942b8d8b6a0e31d9b91dcbf8

      SHA512

      fca64c57d87610b104398802958c8a18ece76cdd51cfcfd77aa1dd3409003160c436b2341b725055f6dddc9f46476e9e861f24e03798e918ce2b6659e75f3a54

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      51b3d343b8e9d64385bcd97b6e9d2286

      SHA1

      bd0754b812a57ddb52a0987ed921d0305f6e26f4

      SHA256

      fe4147ae6039ffa60635f5d1826d8ea8840f0a50da7518542f3ea2e453bb80f5

      SHA512

      5650bb039fbedfd1862387f2362689dc0bdac33fdbc6986b95daa113b499f21ab8b13d564622954c6b3db616e31c1fe49e328177a9c84fbf5161d1da79a52637

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      87e8898916dd318783294de51c43c39d

      SHA1

      13deee2d6633b4c8883040dd22991ce91d022c0a

      SHA256

      1b8a849baca6304c80090b108dad4d4511b24d491e87cd90d0cea585c7f2f71e

      SHA512

      60724b62ecd8146f83b9fd7cd09d435ed2fd5d5f247935d763225d98b5ebce0aac94b52d936f9743812ad7fe44d048a5c4dc1aecbaabd1f7c0b3ea6b9b4b5b71

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      bbf74869872e3263919fb69b707dec80

      SHA1

      ff805fcc79483890da09d4667cdcdd7197795fd5

      SHA256

      88f3c1111129573826970ec195e18a3a5802bef8e71aaf2d394fdf31ef5d75d2

      SHA512

      17dbceb8698e659243f88e0fce7e9d74bfa2c30b975dfbc7c8bf9b09a7c4fe6e9e02e95a137debcea8f8e072558e5a16248cc2ca1553b6595d32f52700a9894f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a671a54ab9a32a6bc0325352afed4f20

      SHA1

      a629d20f30883206ea05969cac44277056ca8b60

      SHA256

      4b76fdefa0bd73fe3d030d52a7808d3ab5d6b4a67356ab9b6c058b8359cc9af8

      SHA512

      3ada5174444d1ad02c06c3035c2e08e51aeb1edaf625069cbf05f284c21252945ae34285cce13339f6573b4ff0824444101af51ee55f8d0bb29f560c290346a4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      51963f10ddf35842e7c752cfe19344f8

      SHA1

      e251d854d84f2000c8c53e0ce6dca328176a7391

      SHA256

      a7ad8e0097adde54b4780c72137a3f18a575159e905523e9c8fc1f5d05117afa

      SHA512

      a98b97ae96ef18ac895be70eb47b5d000765b8ad51c183c8c53fb103ecfeb16cff9288ba602b37feab2cc7abb9d432c5feb4feedc7dc30ff870f9a99dd884f7a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d84a6e5340b6af43811986d1947d5e68

      SHA1

      96563721cba78ffcab1623629644296289edaffc

      SHA256

      93b14e6b9b33d27cd785cd343010f4809b8e6530dfdc6bff1e7baf7b47a0f5ea

      SHA512

      f7cb6d182b9b65ef14f13e8184671f66d8526e2d9e1a78bbafead5166f9553f3afe857c8ab7b3b1beb1525d98a9e398fed5fa9076a9be9f00c9e15829137cd71

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      99811ea88b820ec9f425b55d4da32785

      SHA1

      f9f8af6ffd107a8d3f6e76067a740e8b78d4c17f

      SHA256

      340a416a8157db9cb4a97b65440a16ddfda5d23de440144e23dbf4ce36936de0

      SHA512

      5818ff48d07b86d487999d916d9c0cb7f64ef984a213db947daf4e314528901b9b1f48eafae6189116271c4b912f276c925542acaafa6439edb1a4327382fdd3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c7b1b6a1b56db168fe7581889fcfdede

      SHA1

      4d61ac7b7cf75c29879524064b9fe639ff0ce704

      SHA256

      8025eb8ef736a1f1c10f5cb0e1b14aaede1de88ac4f4705d1042b3b77188d4be

      SHA512

      64e81d2010332726b9b87e543641e97a334382d07737d68888b2cfc6545925d4f064de62603054ffd476866439980f3427a342da44c6c2d411fa7425fd720e9f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c270070a252c2716f696444e830c0093

      SHA1

      8699793a021d14a2b1633428f1fb2b16e9a4c859

      SHA256

      617ea94a0a4c1ed34a1801a445c1c69e0725848fe907d3e7d36b136c229ade8a

      SHA512

      7d0a2d5c7a5fb5f3531acd909154f12059b509cf140b4e4bdc3df0dd625b98c505bfd3b5ee86a1f48f7adc9cde4462b53c87be059db9d55c862b7c803bd2ed42

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9473798ffafa8acb692f09b4349d5b8b

      SHA1

      6aa081d09ff05654d6255fae4592b30c7f810721

      SHA256

      e3a80c524d775cc2eec66992c043a873f27303ba5a7f577863fb9521f0e6fb56

      SHA512

      652b0f6dd1add4523ba9be800458b5483d3cdd14a77bb7c48acf2b3119c68c302dd9c79439ef1354917533aee005563008a4bafdb0b4d4a74ec3075493a1ef73

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      50e8c55fa5a4a9bc79e7752e94bf2a0f

      SHA1

      478bfd4dffcd512a981d342b5319d0934ced49f8

      SHA256

      d8cb239f7029f9140ad59d9062154300b08db639008282642dfcd2eb8c48ded6

      SHA512

      43bdf208ac6ee9ffbc345c8474ef722015726cd6803c56c51cdc2a4db3f4aabd86f198bb19edb415ab0ff05e26286d9d500ff3c7b639ec79b595ffa109e73d19

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab7FAC.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar809F.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\ajtoweqsyjej.exe
      Filesize

      369KB

      MD5

      3b240ca653bd5467b19e195889c07c6e

      SHA1

      bfb732fd34099fb9f4467cfab185a4bf3bb28e95

      SHA256

      62aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6

      SHA512

      32242830aaf7fee32d16e86da4d602640fd360f24ae309bc5391c130ca384b951ac97f9ecc1f596bd7c7b3933c589dbd87ee872b4dfd8cda62835143e04e0296

      Download Submit

    • memory/2016-6015-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2088-0-0x00000000001B0000-0x00000000001B3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2088-14-0x00000000001B0000-0x00000000001B3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2260-756-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-6019-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-51-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-47-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-46-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-2413-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-5580-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-6008-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-6014-0x0000000002C90000-0x0000000002C92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2260-45-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-6017-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-50-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2260-6022-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-28-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-17-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-3-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-5-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-7-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-9-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2608-13-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-16-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2608-1-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2812-25-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download