jigsaw | 653f642b866f37fc6d149ee025a318bea8a53ff1a48caa5f2f3d53f08ccb3d71

Analysis

max time kernel
96s
max time network
131s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-10-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xerin-unpacker.zip
Size

236KB
MD5

b651a3553ab3a5bcb7b214970d472b42
SHA1

be3260cd668dac8d35503ad4a99adfa5e742da76
SHA256

653f642b866f37fc6d149ee025a318bea8a53ff1a48caa5f2f3d53f08ccb3d71
SHA512

f4428046e0b4df072a3f6b690dfd1a64db4823af3482f128480444a4af7a4263c1104d0d0bba76dd2c0041e8e33bcf58aba2f38805ee36d1f1b639e58725b44e
SSDEEP

6144:tYt0q+BReFMTsYCccx596gyWBXcuYNoqOE6j:tYt+BReiTmca59ojgX

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw
Renames multiple (738) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	xerin-unpacker.exe

Deletes itself 1 IoCs

pid	Process
848	drpbx.exe

Executes dropped EXE 13 IoCs

pid	Process
2024	xerin-unpacker.exe
848	drpbx.exe
3464	xerin-unpacker.exe
3716	xerin-unpacker.exe
3268	xerin-unpacker.exe
536	xerin-unpacker.exe
3920	xerin-unpacker.exe
4688	xerin-unpacker.exe
4108	xerin-unpacker.exe
644	xerin-unpacker.exe
1604	xerin-unpacker.exe
2412	xerin-unpacker.exe
3144	xerin-unpacker.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	xerin-unpacker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt	drpbx.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.fun	drpbx.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar	drpbx.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx.fun	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.fun	drpbx.exe
File created	C:\Program Files\VideoLAN\VLC\AUTHORS.txt.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat	drpbx.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.fun	drpbx.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.fun	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.fun	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\onenotemui.msi.16.en-us.vreg.dat	drpbx.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4472	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4472	7zFM.exe
Token: 35	4472	7zFM.exe
Token: SeSecurityPrivilege	4472	7zFM.exe
Token: SeDebugPrivilege	4412	taskmgr.exe
Token: SeSystemProfilePrivilege	4412	taskmgr.exe
Token: SeCreateGlobalPrivilege	4412	taskmgr.exe
Token: 33	4412	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4412	taskmgr.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4472	7zFM.exe
4472	7zFM.exe
848	drpbx.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe
4412	taskmgr.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 848	2024	xerin-unpacker.exe	88
PID 2024 wrote to memory of 848	2024	xerin-unpacker.exe	88

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\xerin-unpacker.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4472

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Desktop\xerin-unpacker.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:848

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3464

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3716

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4412

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3268

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:536

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3920

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4688

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4108

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:644

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1604

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2412

C:\Users\Admin\Desktop\xerin-unpacker.exe
"C:\Users\Admin\Desktop\xerin-unpacker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\xerin-unpacker.exe.log

Filesize
430B

MD5
625000a42d165f2ca3320a4f3b4ed133

SHA1
9b1344a4a5af842a6722c257de51bf654c458871

SHA256
407f08a36156ecd7d93317888a463c0390f31ff9cc81b4c23019f0b02bfbafe0

SHA512
5f7f39294d181d7e538c8096c8d54862f4b084cab0f80d62ea6bcd140ca777740a2c059eeca757a624aa4f778648ccb361b3f9eba204154e3f72b1a640dbbbea

Download Submit
C:\Users\Admin\Desktop\xerin-unpacker.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
memory/848-13-0x0000000001160000-0x0000000001168000-memory.dmp

Filesize
32KB

Download
memory/2024-4-0x00007FFB931D5000-0x00007FFB931D6000-memory.dmp

Filesize
4KB

Download
memory/2024-5-0x00007FFB92F20000-0x00007FFB938C1000-memory.dmp

Filesize
9.6MB

Download
memory/2024-6-0x00007FFB92F20000-0x00007FFB938C1000-memory.dmp

Filesize
9.6MB

Download
memory/2024-7-0x0000000001250000-0x0000000001288000-memory.dmp

Filesize
224KB

Download
memory/2024-8-0x000000001BED0000-0x000000001C39E000-memory.dmp

Filesize
4.8MB

Download
memory/2024-9-0x000000001B860000-0x000000001B8FC000-memory.dmp

Filesize
624KB

Download
memory/2024-12-0x00007FFB92F20000-0x00007FFB938C1000-memory.dmp

Filesize
9.6MB

Download
memory/4412-40-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-42-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-41-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-52-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-51-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-50-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-49-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-48-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-47-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download
memory/4412-46-0x0000026723740000-0x0000026723741000-memory.dmp

Filesize
4KB

Download