Overview

overview

10

Static

static

10

BLTools.exe

windows7-x64

10

BLTools.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BLTools.exe

  • Size

    29KB

  • MD5

    3a946215b3e2a3d8de77764e999a0eb0

  • SHA1

    af6a6d609a095abc66c753f02b0cb1bc739e6362

  • SHA256

    9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e

  • SHA512

    f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f

  • SSDEEP

    384:TB+Sbj6NKoxA6bcAHL054fqDghmq61avDKNrCeJE3WNgr50dAkCtQro3lc6rxsjr:dpoS6bcwLwqhC1445N86dIR+j

Score
10/10
limeratdiscoveryevasionpersistenceprivilege_escalationratspyware

Malware Config

Extracted

Family

limerat

Wallets

bc1q0gmdxcfwzc5wnfpk36nmvuyqnuhz775nzlassz

Attributes
  • aes_key

    hakai

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/GmxD75vS

  • delay

    5

  • download_payload

    false

  • install

    true

  • install_name

    MSVCHOST.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \Microsoftt\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/GmxD75vS

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Limerat family
    limerat
  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BLTools.exe
    "C:\Users\Admin\AppData\Local\Temp\BLTools.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2676
    • C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe
      "C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nnc05epr\nnc05epr.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4704
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABB66FFB40B846C59866445FA2C78C88.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1744
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\arb5uwcv\arb5uwcv.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3236
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x2nwklwr\x2nwklwr.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc478B9AEF534049099434D1A2EE81409D.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4468
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C RDPWInst.exe -i -o
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
          RDPWInst.exe -i -o
          4⤵
          • Server Software Component: Terminal Services DLL
          • Executes dropped EXE
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SYSTEM32\netsh.exe
            netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:4696
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    1⤵
      PID:316
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -s TermService
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5008

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Server Software Component

    1
    T1505

    Terminal Services DLL

    1
    T1505.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Remote Services

    1
    T1021

    Remote Desktop Protocol

    1
    T1021.001

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
      Filesize

      1.4MB

      MD5

      3288c284561055044c489567fd630ac2

      SHA1

      11ffeabbe42159e1365aa82463d8690c845ce7b7

      SHA256

      ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

      SHA512

      c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES44B0.tmp
      Filesize

      5KB

      MD5

      deac3987b3c487ba49ad2866217366ef

      SHA1

      ced56d49c26527ade05f7693fd748495b4dc1f1a

      SHA256

      488ba14949c4ea90cb4ecbf9eca9eabc8106ad24d266d9d4e0e98dbe5ddbc433

      SHA512

      420662dc6024d68ab3510d621215648642cc8769ff948292c0c5a9059abe4afa282b9cf26d8d4023b62b8391ba7b77f967bdfe24878dc4c32cc8488221254be8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES45F8.tmp
      Filesize

      5KB

      MD5

      aab5dfd2fc2d8225283415aaa816e7d7

      SHA1

      dd2902c5ec9bd8149ed1fc6eb63315d0ac30616e

      SHA256

      92e2dccc33a117140d7c40c1a4406cdf2966cdc070c02bec66a06132c3b3bae4

      SHA512

      1c0315a231a122ad0ee416d49581925efae209882b206710c649e8381a552bb0771388e2cc6bd79066e6ef6e36bd26566580afe11a3bb61b3b68d8d66d11e883

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\arb5uwcv\arb5uwcv.0.vb
      Filesize

      240B

      MD5

      d3715a1c279b7935c2935279af3f2fcc

      SHA1

      d403a12a455028d581dde3dbdda152bf47e0365e

      SHA256

      02892fc14e02400cd457f3d5d639df3949dad77bfafd8e78cc496cea1ce20a5c

      SHA512

      739936442d2d5268a55e73f52e835d5610994ce2043a610751941bade1f51671f04ddcbaa4df81f4ba2bbb85bcf0293a713796d6e41f880bd6388c9a8f114d8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\arb5uwcv\arb5uwcv.cmdline
      Filesize

      293B

      MD5

      9b41e31455d557e79e6eda6950d321b5

      SHA1

      95a32dab96d0445322196093bb7fae77018c66e5

      SHA256

      fd82cf6fbb91f27d8bbe1d93dffbe976cfe827fffe79450c15aa02957b0d632f

      SHA512

      fdf43003f385abeb23a7a06e367ef3c1b816a6d4044cf45bbd04b6204e7f79dd0efa05f9e3804464dd961ffabc02e7cf3bd7bb7950b88df2f3f80078b099fca9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nnc05epr\nnc05epr.0.vb
      Filesize

      234B

      MD5

      b1853a3b9271b41c5805c7b1b2112f24

      SHA1

      6f840b974e662c94e1dc294b953bdb138fc3c449

      SHA256

      dc0e9961c97a713f2ec3696d755fb01edf8931ec83b3b19b8417cbae8841888e

      SHA512

      d0ac6c638dbd08456790e21c2ffb0496e53f9e7c6ca69ed0dfe3d10fe0f7018a29629ac86338b054c2740c3bfe03ff0b69b890bd839bc17dc3e96aca66a7a518

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nnc05epr\nnc05epr.cmdline
      Filesize

      282B

      MD5

      cd1511bebaedf3b477ef8dc50643d001

      SHA1

      40ccec472921b975124a624581550b0ca4dcf58e

      SHA256

      bccec5715f8ca82d4ff274fbc35d09bc7571b3b48f8ff8adc0f970dcb5898881

      SHA512

      b5d79d8426195960e03b62111fac188a3321ddf6d722665c7554fb6119cdeb52e04cd81afecc8a3859f6fbc64964c69b81dab1f778d1105ebd9d31a0ac565b23

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc478B9AEF534049099434D1A2EE81409D.TMP
      Filesize

      4KB

      MD5

      4162c05f88e8459f843325fddd58b73d

      SHA1

      585a582f7c4d9b218d68ca18d6cf46801b1db4fe

      SHA256

      3ffa4819f285544e028ad56d2ade2bf07599d569bb925812a0566deea7ae17fc

      SHA512

      cc2d732fe8f925df5d9c03b5f237dcbb5c9ca93d0878b2b29bbc635e9daec32a460e45510088831fd3e00015e01649df2b378db4a982f536cd1f1beabc102af1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcABB66FFB40B846C59866445FA2C78C88.TMP
      Filesize

      4KB

      MD5

      3bc8adeb12a0fcc53a2368d6b2ac06f1

      SHA1

      1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

      SHA256

      05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

      SHA512

      8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\x2nwklwr\x2nwklwr.0.vb
      Filesize

      241B

      MD5

      940d0f650a00932d41f0aadca201e779

      SHA1

      e8046e7a598fd33d85caa9822a8e441a8cdb3707

      SHA256

      83f2d789fff0d03c5ed56de4b16964e7dcedc5ffea05757bab4f80ba271a946f

      SHA512

      fdb65da9cd53b3ef8f4a0c66b457a5c6febb05681fba88a0844c6af57f596b45669aa46e964bf871cbc98d8e6978d3227225e9bfd28c5b2735733de97113bdfe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\x2nwklwr\x2nwklwr.cmdline
      Filesize

      295B

      MD5

      74ffde2c3574f70617661257f2646527

      SHA1

      bbb8b8e0a5b3221869092cdd9a82802871e16dda

      SHA256

      c6dd9a6dc97da5bb4ca900520e8e197768a217abff6c2f41682520ab2b0b4b18

      SHA512

      16e041868f0281c437957a6b11e30b337023e0df960f38c967cacb08322768b628755b71d70adc292250e7ac368d6f0fb2b250d8ad13fcec7c442022e0e265e5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico
      Filesize

      4KB

      MD5

      a561ca41d3b29c57ab61672df8d88ec9

      SHA1

      24567a929b98c2536cd2458fdce00ce7e29710f0

      SHA256

      f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

      SHA512

      eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico
      Filesize

      6B

      MD5

      ed5a964e00f4a03ab201efe358667914

      SHA1

      d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

      SHA256

      025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

      SHA512

      7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Lime\ICO\MicrosoftEdge.ico
      Filesize

      4KB

      MD5

      dfe08c8c6e8e1142309ac81d3ea765ec

      SHA1

      da81d0b263ca62dcc2deab48835cf1dc1e8dac0a

      SHA256

      04d17515c60ac7ec901b27e116fd1a965f529dcb20b3609df5b3cb58cff8e456

      SHA512

      2b4f91df4b9a75df3e7fc50733b795adaafc4d8ae323339fbb9a38309c6898a6b877f6fa6a2cb476f661d80a5f1969b284deef5c0a4439b221ddd8750bb102ef

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoftt\IconLib.dll
      Filesize

      59KB

      MD5

      45ecaf5e82da876240f9be946923406c

      SHA1

      0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

      SHA256

      087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

      SHA512

      6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe
      Filesize

      29KB

      MD5

      3a946215b3e2a3d8de77764e999a0eb0

      SHA1

      af6a6d609a095abc66c753f02b0cb1bc739e6362

      SHA256

      9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e

      SHA512

      f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f

      Download Submit

    • \??\c:\program files\rdp wrapper\rdpwrap.dll
      Filesize

      114KB

      MD5

      461ade40b800ae80a40985594e1ac236

      SHA1

      b3892eef846c044a2b0785d54a432b3e93a968c8

      SHA256

      798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

      SHA512

      421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

      Download Submit

    • \??\c:\program files\rdp wrapper\rdpwrap.ini
      Filesize

      128KB

      MD5

      dddd741ab677bdac8dcd4fa0dda05da2

      SHA1

      69d328c70046029a1866fd440c3e4a63563200f9

      SHA256

      7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

      SHA512

      6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

      Download Submit

    • memory/1952-73-0x0000000001900000-0x0000000001912000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1952-78-0x0000000006280000-0x00000000062E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1952-18-0x0000000006E50000-0x0000000006EE2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1952-17-0x0000000075150000-0x0000000075900000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1952-28-0x00000000014C0000-0x00000000014D6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1952-16-0x0000000075150000-0x0000000075900000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1952-20-0x0000000075150000-0x0000000075900000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1952-21-0x0000000007D30000-0x0000000007D4E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1952-19-0x0000000075150000-0x0000000075900000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1952-77-0x0000000008380000-0x0000000008560000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1952-22-0x0000000007D50000-0x0000000007D74000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1952-72-0x00000000018D0000-0x00000000018DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1952-71-0x00000000061D0000-0x00000000061DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2712-98-0x0000000000400000-0x000000000056F000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4236-2-0x00000000055E0000-0x000000000567C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4236-3-0x00000000056A0000-0x0000000005706000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4236-0-0x000000007515E000-0x000000007515F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4236-4-0x0000000075150000-0x0000000075900000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4236-1-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4236-5-0x00000000062B0000-0x0000000006854000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4236-15-0x0000000075150000-0x0000000075900000-memory.dmp

      Filesize

      7.7MB

      Download