c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505

Resubmissions

21/07/2024, 10:21

240721-mdsbgsycje 10

20/07/2024, 13:01

240720-p8648szapp 10

Analysis

max time kernel
102s
max time network
41s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WellPlayed.exe
Size

145KB
MD5

337559ae1b02b42586781787918b4b6c
SHA1

114577ce6270fde6ed9dbc782484bfa36766baed
SHA256

c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505
SHA512

8f6a3ed66d74a3950c78b24c8617714697ba8f3eea8ff75ba74206a2ee814212389d50d2824cdf96311774f16730429e4bae28b9c59b97dd0baf4e20dc73189f
SSDEEP

3072:uqJogYkcSNm9V7D/Lwi7Z2ncxMN9vMWT:uq2kc4m9tDTwi7Z2cF

Score

7^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1900	E225.tmp

Executes dropped EXE 1 IoCs

pid	Process
1900	E225.tmp

Loads dropped DLL 1 IoCs

pid	Process
1848	WellPlayed.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	WellPlayed.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	WellPlayed.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\txdM9F1WD.bmp"	WellPlayed.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop	WellPlayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallpaperStyle = "10"	WellPlayed.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon	WellPlayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD	WellPlayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txdM9F1WD\DefaultIcon\ = "C:\\ProgramData\\txdM9F1WD.ico"	WellPlayed.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD	WellPlayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txdM9F1WD\ = "txdM9F1WD"	WellPlayed.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1684	NOTEPAD.EXE
1572	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe
1848	WellPlayed.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp
1900	E225.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeDebugPrivilege	1848	WellPlayed.exe
Token: 36	1848	WellPlayed.exe
Token: SeImpersonatePrivilege	1848	WellPlayed.exe
Token: SeIncBasePriorityPrivilege	1848	WellPlayed.exe
Token: SeIncreaseQuotaPrivilege	1848	WellPlayed.exe
Token: 33	1848	WellPlayed.exe
Token: SeManageVolumePrivilege	1848	WellPlayed.exe
Token: SeProfSingleProcessPrivilege	1848	WellPlayed.exe
Token: SeRestorePrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSystemProfilePrivilege	1848	WellPlayed.exe
Token: SeTakeOwnershipPrivilege	1848	WellPlayed.exe
Token: SeShutdownPrivilege	1848	WellPlayed.exe
Token: SeDebugPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeBackupPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe
Token: SeSecurityPrivilege	1848	WellPlayed.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1900	1848	WellPlayed.exe	32
PID 1848 wrote to memory of 1900	1848	WellPlayed.exe	32
PID 1848 wrote to memory of 1900	1848	WellPlayed.exe	32
PID 1848 wrote to memory of 1900	1848	WellPlayed.exe	32
PID 1848 wrote to memory of 1900	1848	WellPlayed.exe	32

C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe
"C:\Users\Admin\AppData\Local\Temp\WellPlayed.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\ProgramData\E225.tmp
  "C:\ProgramData\E225.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:1900

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\txdM9F1WD.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1684

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\txdM9F1WD.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
PID:2816

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\r9VemSS.txdM9F1WD
1⤵
- Modifies registry class
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\AAAAAAAAAAA

Filesize
129B

MD5
8d8a81019c54d9ebd3c690e5eac19a77

SHA1
392116a08546516f3c15c081a870a423247eecab

SHA256
8fe059187fb0ef07f3f2d4baf798bbb34ab3b3a77fcff9cd77d44e4c7df9614a

SHA512
463fe3e1664b9f2b98001560196a71bc78ea75fb23928a7e99f57e8dcaac0179f5c2c13e164886a290306a13f6dcfbcf91631d51c35da4147f4a5d6d7c323839

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDD

Filesize
145KB

MD5
7421794e1b528237100e5a51cedc82dd

SHA1
9140780327186bb789dfc5b5a8ffba950cb86397

SHA256
d9dc11171f01ec34218ba23fc1aefece2a8da70ca49a75201784b41957372bde

SHA512
2f21ee80b2db228cc05428fb7cc44e9de089d6af1f7b3cc24dfd141e26c9a7a63f06bf31cb063dccde0a5edd11701bb0bbfe53d6a978dc3d1899a29bc71dd574

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\X9OESX0.txdM9F1WD

Filesize
3KB

MD5
0ca393343fa5d3cd875bf3b717bd1f1c

SHA1
4e4ac2f4331ff251e4c60bc0b3b182ac875daeee

SHA256
43f64b07967167ed73e3cfcfc711e96883565c46deb39b37112eff89b3e7c2e7

SHA512
8f91993202c148282fc897fd6a62fc62cb2c155fa7c0f1c787a6c2e452b16b4496289bfb8157ea0526fb1207a56a07520012790f31de12185c2c4479982945b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\XiSHU8d.txdM9F1WD

Filesize
3KB

MD5
05249df87779236d8b1e3c630884c0ce

SHA1
4c18f68dd82fca17e9708afa1b02f144ba83f0ac

SHA256
9bd5b91ac48daecb8d96993fe1f6cf3d0da6af7cd7191626253203928cbc40cf

SHA512
6212c903375c0fe59c005410dec2ad8a53562a42a123ab77b25da53bc3ce31a92873accd76ef490705350508656d6262065fb176e1be054c2000e5940891b5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\YnIGKlw.txdM9F1WD

Filesize
2KB

MD5
6416a3d4a930206f185287087642e2a9

SHA1
4ba6d4ecb8717647f6d8eeb4df04f3e5ebd0ad5b

SHA256
b56e38129bb85206499d17e8d660fea9a800fb14b98dd3567bdb3d4260ecc7da

SHA512
1e609949d2e3fe2fa1d817b538d50b091bb008cbacb2976ae0535da694c4d8c18cdf60b293add0c65c7fb91d50bc873dddfc9836c6e68bf59a15842c7a2ab445

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\Yu4uSfx.txdM9F1WD

Filesize
2KB

MD5
08ae65286dcd2db512ac26be195c7c2e

SHA1
d999188f5ba64a1b9dd10ec85ff7e6449220e4e6

SHA256
25f8d7fbd4c940206dcf3fc09341fe6d33e34e484235fde7bf0c0319ab5b22ec

SHA512
7ba07a735769658fffae9fc86285d6199f9bab428fee298b024a5ebf4abe3ccfa46513f3d5310adad61aac458d919e9e46f6ddef7c47a535a6b8165afa0ff287

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\ZOEEyKu.txdM9F1WD

Filesize
2KB

MD5
52d2e23d662f1c3425747da86bbb2cb8

SHA1
4d19ef96f45b68a7298abc16b3854c3e86962441

SHA256
3dbc7dc4442036c7e5c9234e4d0d0ec32d25814e0796f8e9c44e5692487ed4fb

SHA512
8b426a4e1553743b70d4dc2acc2f1749486df5436f1c7aa022a673d7c5185e8479240e5ef1d0e48738f5d409ca3b0453e50b95465c8c3ae16a3920d4b192462a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\ZhPvxM1.txdM9F1WD

Filesize
2KB

MD5
a552d81e13819e75067d378886a0ec0b

SHA1
064a6ff94964f1c8a66d9fb3a1dc0073d3b6a355

SHA256
2fad53aec2186455eb8555d145c40b8fad68d6a697a67e898857076f436c12da

SHA512
25f2b27c3d0bdfd9d86140ccb651ccd62a486c7fa2551a5f53e1c147f3daf00c985ead2339fa89d8e21a4ae3624ccf3122fb5b36755851f8ea3b11a4de25fed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\ZtiN0TB.txdM9F1WD

Filesize
2KB

MD5
ca61d5db4754ab18d2780f96e500a0eb

SHA1
004255d81e10cccc0ab80c2f5a854861921f255d

SHA256
be6917574b4eb226048fcc051d2e5adf125161833a66d1c3b2444e015fa047e7

SHA512
180093fe310c3b1547d685f79d03fb27fac281238f72b32784a1f717d40ce3470c00c1ee552f75ad5c5158dc14533ebdf0227c17c78de33a7e105afd3fe2ac79

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\xFf2dJw.txdM9F1WD

Filesize
2KB

MD5
9513f058026fa1cd7a285992e0995f5a

SHA1
9f354ba8e8acfc0bf1f4a92c0d9d5bc5d5cfea22

SHA256
f364d0d435fa060fdfa09e38adb34a163dcd761ec36281b61c68cab009e585b5

SHA512
a0a1bc873fd322de758983620e6537f62cbc094a22566fa305a630a9f4e4842170d5fc848b6bb5120730f7de50d8c0c75355f1da2f6f4450102cb52a02a5d1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\xGVDykQ.txdM9F1WD

Filesize
3KB

MD5
72964d0ae2b55f4ddd64119876bde2c2

SHA1
c5ead76b069242af0ae24fbd219b2f48d154714c

SHA256
5f3cdf580b5e661f7c1d24a387a37f11642d692163fdafb274ef00f1d02a94e5

SHA512
7c56da145f08ff0401d66809b5e91a8ff0cd40995ec569d76126e06f00d8e6776298a51a4306c77ec1e090dffd2ded6a0b8e627d748041442987e870a14f6035

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\xcYtTdc.txdM9F1WD

Filesize
2KB

MD5
004ba3edcc18eee08744d4ce5dba40a4

SHA1
7307513f7fc233ad29dce4084e42986a9fa2df56

SHA256
6156ec376c5124cb9d59297f26f4150437ad6e08ebc15975232483dcb901db3b

SHA512
2386f45c1bb0d5458696866f8e26ccd6f4b526773f1917a3ddf914afe935217b7d566e24dfa589a70de9a24f0408273893c3e9f948df9e5eac71f5331be465c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\xdh2UwY.txdM9F1WD

Filesize
2KB

MD5
808756ae08862a047b891baa093b13c6

SHA1
cf3ba04e098c056685c65cb10ae9c2dca7c8340b

SHA256
f461f2e1d690ac6e07cbd15b99f36f71ae6a926d30565295f36fb9bb90051628

SHA512
300b936997c0a9a7033bab8b1140ba8e58f4d0403fb798ff63e8b071f92a0ba98d0ff1636d18d52a397fc85bd51110f7f44e972e6b3627cec10bc53b43f916b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\ywcIFig.txdM9F1WD

Filesize
3KB

MD5
e61dad2bda1e748e9fe38c5fe9721360

SHA1
5a59490d3cbe427cccbe1d48400c5077fa347b8a

SHA256
bba65cfc1183e3cc43de697de25775461d2794942a122033896cf7e9128a369a

SHA512
e3f0f4bbb662512f4a97ac0b5545b1697724c609717cf131168ad2a0ca3a37474e0fbe2e79be6e29d7c02c44bf74a15473bc5bd57a8f81b83167710928699909

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\zN4gttq.txdM9F1WD

Filesize
2KB

MD5
a8b9f90f7ffec299b3c3aae5e6d588f3

SHA1
b15111fb9b7ee500e4ddbf645fc3376e35b2917b

SHA256
8b25d377235c67737797c08bf23e6097b1cbf01a8a1cbaa17c162cdf9399fcf3

SHA512
f8a96e7c7c9904d5668e11f013eba2c37b326b26bf759f0362f873615fe9dce6056ad10e45a978e47e00bea821e627aa244c12031627774161142b0e08ad9ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\zxLDV0X.txdM9F1WD

Filesize
2KB

MD5
38156d547a65cd36ec8bc5a51141ae61

SHA1
f69f48b21d5afebb6e57c464f291635959d9aba1

SHA256
50bab9a15338ae19529b04e891471e4aca94c068ead7bdbacc5066572484eb82

SHA512
9ebd99c2de15248bd844c5845266a2e3e97bb74c5fad2195e49c64ca561c0a6e349b5ff0175f4ca93088f4bbe10833c4369a9e44a092c6fedc30d78143851fab

Download Submit
C:\txdM9F1WD.README.txt

Filesize
27B

MD5
734928ecdc131bc5f8de15316a4a3c36

SHA1
99f69f63b39bc26bab9e3a88a37e5eca67aff5c8

SHA256
5778fea386e2432c9d30e0a22ad06a4021462d6688c3dd2bf19e7a0206049fd5

SHA512
e0490bc9cb7cb18c99824eaf8aa37ee10be841245a3aa03f227d80dfd63ab125d025de6d9374883707a0ce60dc6e85079ada0bd1a22121ed9e9c75836fcf979d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\DDDDDDDDDDD

Filesize
129B

MD5
0a6edad340db25661b87f86a7d9db812

SHA1
c28fdfbd96bdfcd56c1adb2fa8b65b804b180fa5

SHA256
c2cd52a1f853f467d6e23e2d4b76aec879463d84d021f2f9d890e9d2666b807e

SHA512
c30d6692dc036e4a5d075d1dcd365bd5ad7df1b64d828169c14462512466ad94e937e2584ffb4c7b329aa328c448e2daaf3fc0db466adb5238b5830a8a14475f

Download Submit
\ProgramData\E225.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1848-0-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/1900-3663-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1900-3661-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/1900-3693-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download