strrat | 43e480eaff9c6da18d3c042231ed82f0a09a7adb3301311c159941e75a105a2c

Analysis

max time kernel
145s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
04-11-2020 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02_extracted.jar
Size

83KB
MD5

9250c46915d7fc36a5605a3756447dec
SHA1

b33288cc02bf24008488b14e648943a214265067
SHA256

43e480eaff9c6da18d3c042231ed82f0a09a7adb3301311c159941e75a105a2c
SHA512

093e64939119d1d742428379ec05460a00c6b4d96c4e8fcb425bcd752cacfd18a394fe7d04671fd9f131beb89a41e9e0517d1238430820e5347e271a1090dc05

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02_extracted.jar java.exe
Loads dropped DLL 3 IoCs

Processes:

java.exejava.exejava.exe

pid process

3448 java.exe
1200 java.exe
2592 java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02_extracted.jar	java.exe

pid	process
3448	java.exe
1200	java.exe
2592	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java.exejava.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\02_extracted = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\02_extracted.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\02_extracted = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\02_extracted.jar\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com

flow	ioc
22	ip-api.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3232	WMIC.exe
Token: SeSecurityPrivilege	3232	WMIC.exe
Token: SeTakeOwnershipPrivilege	3232	WMIC.exe
Token: SeLoadDriverPrivilege	3232	WMIC.exe
Token: SeSystemProfilePrivilege	3232	WMIC.exe
Token: SeSystemtimePrivilege	3232	WMIC.exe
Token: SeProfSingleProcessPrivilege	3232	WMIC.exe
Token: SeIncBasePriorityPrivilege	3232	WMIC.exe
Token: SeCreatePagefilePrivilege	3232	WMIC.exe
Token: SeBackupPrivilege	3232	WMIC.exe
Token: SeRestorePrivilege	3232	WMIC.exe
Token: SeShutdownPrivilege	3232	WMIC.exe
Token: SeDebugPrivilege	3232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3232	WMIC.exe
Token: SeRemoteShutdownPrivilege	3232	WMIC.exe
Token: SeUndockPrivilege	3232	WMIC.exe
Token: SeManageVolumePrivilege	3232	WMIC.exe
Token: 33	3232	WMIC.exe
Token: 34	3232	WMIC.exe
Token: 35	3232	WMIC.exe
Token: 36	3232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3232	WMIC.exe
Token: SeSecurityPrivilege	3232	WMIC.exe
Token: SeTakeOwnershipPrivilege	3232	WMIC.exe
Token: SeLoadDriverPrivilege	3232	WMIC.exe
Token: SeSystemProfilePrivilege	3232	WMIC.exe
Token: SeSystemtimePrivilege	3232	WMIC.exe
Token: SeProfSingleProcessPrivilege	3232	WMIC.exe
Token: SeIncBasePriorityPrivilege	3232	WMIC.exe
Token: SeCreatePagefilePrivilege	3232	WMIC.exe
Token: SeBackupPrivilege	3232	WMIC.exe
Token: SeRestorePrivilege	3232	WMIC.exe
Token: SeShutdownPrivilege	3232	WMIC.exe
Token: SeDebugPrivilege	3232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3232	WMIC.exe
Token: SeRemoteShutdownPrivilege	3232	WMIC.exe
Token: SeUndockPrivilege	3232	WMIC.exe
Token: SeManageVolumePrivilege	3232	WMIC.exe
Token: 33	3232	WMIC.exe
Token: 34	3232	WMIC.exe
Token: 35	3232	WMIC.exe
Token: 36	3232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: 36	1328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

java.exejava.exejava.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1036 wrote to memory of 3448	1036	java.exe	java.exe
PID 1036 wrote to memory of 3448	1036	java.exe	java.exe
PID 3448 wrote to memory of 1200	3448	java.exe	java.exe
PID 3448 wrote to memory of 1200	3448	java.exe	java.exe
PID 1200 wrote to memory of 2592	1200	java.exe	java.exe
PID 1200 wrote to memory of 2592	1200	java.exe	java.exe
PID 1200 wrote to memory of 512	1200	java.exe	cmd.exe
PID 1200 wrote to memory of 512	1200	java.exe	cmd.exe
PID 512 wrote to memory of 3232	512	cmd.exe	WMIC.exe
PID 512 wrote to memory of 3232	512	cmd.exe	WMIC.exe
PID 1200 wrote to memory of 2080	1200	java.exe	cmd.exe
PID 1200 wrote to memory of 2080	1200	java.exe	cmd.exe
PID 2080 wrote to memory of 1328	2080	cmd.exe	WMIC.exe
PID 2080 wrote to memory of 1328	2080	cmd.exe	WMIC.exe
PID 1200 wrote to memory of 876	1200	java.exe	cmd.exe
PID 1200 wrote to memory of 876	1200	java.exe	cmd.exe
PID 876 wrote to memory of 3400	876	cmd.exe	WMIC.exe
PID 876 wrote to memory of 3400	876	cmd.exe	WMIC.exe
PID 1200 wrote to memory of 1512	1200	java.exe	cmd.exe
PID 1200 wrote to memory of 1512	1200	java.exe	cmd.exe
PID 1512 wrote to memory of 1856	1512	cmd.exe	WMIC.exe
PID 1512 wrote to memory of 1856	1512	cmd.exe	WMIC.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\02_extracted.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Program Files\Java\jre1.8.0_66\bin\java.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\02_extracted.jar"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\02_extracted.jar"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      PID:2592
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        5⤵
        
        PID:3400
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        5⤵
        
        PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
e2383f107b0290285c9dda2ce7ec06c4

SHA1
5518ec9412441c933eade0d7d35a9937076a4f31

SHA256
f566ee53f7f271e498d0c74a2f59e738915e48327ae57b89c70ad043ef00cd9f

SHA512
3fd22bf41d884f3d81a86c7009b14efe6c5bbef6baaf2cb4f7241625714d66d8c50e659befd6dcd9876c20c13da29583868a77e73d2dcb5b83bbb5c4f0a839cb

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
6191fef416cf3f3c5a54ca0ca43065ed

SHA1
6c64846d0dae3122747803bb1a9fb298b613c5d7

SHA256
76d6bf3aa76ee03126b08b1b23ebef684e11e9eef5b0002d8d94fdd829e28f29

SHA512
d8ec1ac33fe56a5e23372c85d279e29638465296927f1cd8a8efd6b1aa021ad23c81fc6f1e6650e38adf9419f71323e0f0d5b61eebfaf483118775f11084e571

Download Submit
C:\Users\Admin\02_extracted.jar

MD5
9250c46915d7fc36a5605a3756447dec

SHA1
b33288cc02bf24008488b14e648943a214265067

SHA256
43e480eaff9c6da18d3c042231ed82f0a09a7adb3301311c159941e75a105a2c

SHA512
093e64939119d1d742428379ec05460a00c6b4d96c4e8fcb425bcd752cacfd18a394fe7d04671fd9f131beb89a41e9e0517d1238430820e5347e271a1090dc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna3888686215227823346.dll

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5510413491577389109.dll

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\02_extracted.jar

MD5
9250c46915d7fc36a5605a3756447dec

SHA1
b33288cc02bf24008488b14e648943a214265067

SHA256
43e480eaff9c6da18d3c042231ed82f0a09a7adb3301311c159941e75a105a2c

SHA512
093e64939119d1d742428379ec05460a00c6b4d96c4e8fcb425bcd752cacfd18a394fe7d04671fd9f131beb89a41e9e0517d1238430820e5347e271a1090dc05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\83aa4cc77f591dfc2374580bbd95f6ba_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\AppData\Roaming\plugins.jar

MD5
9250c46915d7fc36a5605a3756447dec

SHA1
b33288cc02bf24008488b14e648943a214265067

SHA256
43e480eaff9c6da18d3c042231ed82f0a09a7adb3301311c159941e75a105a2c

SHA512
093e64939119d1d742428379ec05460a00c6b4d96c4e8fcb425bcd752cacfd18a394fe7d04671fd9f131beb89a41e9e0517d1238430820e5347e271a1090dc05

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna247282591689811562.dll

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna3888686215227823346.dll

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna5510413491577389109.dll

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
memory/512-68-0x0000000000000000-mapping.dmp

Download
memory/876-77-0x0000000000000000-mapping.dmp

Download
memory/1200-45-0x0000000000000000-mapping.dmp

Download
memory/1328-72-0x0000000000000000-mapping.dmp

Download
memory/1512-83-0x0000000000000000-mapping.dmp

Download
memory/1856-84-0x0000000000000000-mapping.dmp

Download
memory/2080-71-0x0000000000000000-mapping.dmp

Download
memory/2592-61-0x0000000000000000-mapping.dmp

Download
memory/3232-70-0x0000000000000000-mapping.dmp

Download
memory/3400-78-0x0000000000000000-mapping.dmp

Download
memory/3448-29-0x0000000000000000-mapping.dmp

Download