100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

Analysis

max time kernel
139s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
25-11-2020 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe
Size

376KB
MD5

3eafc3e74deeffaccc2a203154265a30
SHA1

0de031ececa86e4e318f266f291474fc73d491ac
SHA256

100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea
SHA512

2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Blacklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

9 456 rundll32.exe
14 1652 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

tdun.exeTaurus22.exeTaurus22.exe

pid process

1696 tdun.exe
960 Taurus22.exe
1532 Taurus22.exe

flow	pid	process
9	456	rundll32.exe
14	1652	rundll32.exe

pid	process
1696	tdun.exe
960	Taurus22.exe
1532	Taurus22.exe

Loads dropped DLL 14 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exerundll32.exetdun.exerundll32.exe

pid	process
1848	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe
1848	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe
456	rundll32.exe
456	rundll32.exe
456	rundll32.exe
456	rundll32.exe
1696	tdun.exe
1696	tdun.exe
1696	tdun.exe
1696	tdun.exe
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

844 schtasks.exe
1408 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1472 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

456 rundll32.exe
456 rundll32.exe
456 rundll32.exe
456 rundll32.exe

pid	process
844	schtasks.exe
1408	schtasks.exe

pid	process
1472	timeout.exe

pid	process
456	rundll32.exe
456	rundll32.exe
456	rundll32.exe
456	rundll32.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exetdun.execmd.exeTaurus22.execmd.exetaskeng.exeTaurus22.execmd.exe

description	pid	process	target process
PID 1848 wrote to memory of 1696	1848	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe	tdun.exe
PID 1848 wrote to memory of 1696	1848	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe	tdun.exe
PID 1848 wrote to memory of 1696	1848	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe	tdun.exe
PID 1848 wrote to memory of 1696	1848	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe	tdun.exe
PID 1696 wrote to memory of 912	1696	tdun.exe	cmd.exe
PID 1696 wrote to memory of 912	1696	tdun.exe	cmd.exe
PID 1696 wrote to memory of 912	1696	tdun.exe	cmd.exe
PID 1696 wrote to memory of 912	1696	tdun.exe	cmd.exe
PID 912 wrote to memory of 1668	912	cmd.exe	reg.exe
PID 912 wrote to memory of 1668	912	cmd.exe	reg.exe
PID 912 wrote to memory of 1668	912	cmd.exe	reg.exe
PID 912 wrote to memory of 1668	912	cmd.exe	reg.exe
PID 1696 wrote to memory of 456	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 456	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 456	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 456	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 456	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 456	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 456	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 960	1696	tdun.exe	Taurus22.exe
PID 1696 wrote to memory of 960	1696	tdun.exe	Taurus22.exe
PID 1696 wrote to memory of 960	1696	tdun.exe	Taurus22.exe
PID 1696 wrote to memory of 960	1696	tdun.exe	Taurus22.exe
PID 1696 wrote to memory of 844	1696	tdun.exe	schtasks.exe
PID 1696 wrote to memory of 844	1696	tdun.exe	schtasks.exe
PID 1696 wrote to memory of 844	1696	tdun.exe	schtasks.exe
PID 1696 wrote to memory of 844	1696	tdun.exe	schtasks.exe
PID 960 wrote to memory of 1624	960	Taurus22.exe	cmd.exe
PID 960 wrote to memory of 1624	960	Taurus22.exe	cmd.exe
PID 960 wrote to memory of 1624	960	Taurus22.exe	cmd.exe
PID 960 wrote to memory of 1624	960	Taurus22.exe	cmd.exe
PID 1624 wrote to memory of 1408	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1408	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1408	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1408	1624	cmd.exe	schtasks.exe
PID 1696 wrote to memory of 1652	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 1652	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 1652	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 1652	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 1652	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 1652	1696	tdun.exe	rundll32.exe
PID 1696 wrote to memory of 1652	1696	tdun.exe	rundll32.exe
PID 1668 wrote to memory of 1532	1668	taskeng.exe	Taurus22.exe
PID 1668 wrote to memory of 1532	1668	taskeng.exe	Taurus22.exe
PID 1668 wrote to memory of 1532	1668	taskeng.exe	Taurus22.exe
PID 1668 wrote to memory of 1532	1668	taskeng.exe	Taurus22.exe
PID 1532 wrote to memory of 396	1532	Taurus22.exe	cmd.exe
PID 1532 wrote to memory of 396	1532	Taurus22.exe	cmd.exe
PID 1532 wrote to memory of 396	1532	Taurus22.exe	cmd.exe
PID 1532 wrote to memory of 396	1532	Taurus22.exe	cmd.exe
PID 396 wrote to memory of 1472	396	cmd.exe	timeout.exe
PID 396 wrote to memory of 1472	396	cmd.exe	timeout.exe
PID 396 wrote to memory of 1472	396	cmd.exe	timeout.exe
PID 396 wrote to memory of 1472	396	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848

C:\ProgramData\df06955a2a\tdun.exe
"C:\ProgramData\df06955a2a\tdun.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\df06955a2a\
3⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\df06955a2a\
4⤵
PID:1668

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\36877702447006\cred.dll, Main
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
"C:\Users\Admin\AppData\Local\Temp\Taurus22.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\kGDHDfID.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\kGDHDfID.exe"
5⤵
- Creates scheduled task(s)
PID:1408

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Taurus22.exe /TR "C:\Users\Admin\AppData\Local\Temp\Taurus22.exe" /F
3⤵
- Creates scheduled task(s)
PID:844

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\36877702447006\scr.dll, Main
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
PID:1652

C:\Windows\system32\taskeng.exe
taskeng.exe {0E4460EA-01BB-47F1-8924-8FAC5C0A9298} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
4⤵
- Delays execution with timeout.exe
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\152138250354662522850611
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
C:\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
C:\ProgramData\df06955a2a\tdun.exe
MD5
3eafc3e74deeffaccc2a203154265a30

SHA1
0de031ececa86e4e318f266f291474fc73d491ac

SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\df06955a2a\tdun.exe
MD5
3eafc3e74deeffaccc2a203154265a30

SHA1
0de031ececa86e4e318f266f291474fc73d491ac

SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Download Submit
\ProgramData\df06955a2a\tdun.exe
MD5
3eafc3e74deeffaccc2a203154265a30

SHA1
0de031ececa86e4e318f266f291474fc73d491ac

SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Download Submit
\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
memory/360-7-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/396-32-0x0000000000000000-mapping.dmp

Download
memory/456-8-0x0000000000000000-mapping.dmp

Download
memory/844-20-0x0000000000000000-mapping.dmp

Download
memory/912-5-0x0000000000000000-mapping.dmp

Download
memory/960-18-0x0000000000000000-mapping.dmp

Download
memory/1408-22-0x0000000000000000-mapping.dmp

Download
memory/1472-33-0x0000000000000000-mapping.dmp

Download
memory/1532-30-0x0000000000000000-mapping.dmp

Download
memory/1624-21-0x0000000000000000-mapping.dmp

Download
memory/1652-23-0x0000000000000000-mapping.dmp

Download
memory/1668-6-0x0000000000000000-mapping.dmp

Download
memory/1696-2-0x0000000000000000-mapping.dmp

Download