6c94ef12be12667362545a64c325e125ba3647e58276faa93c663432f07d1ab0

Resubmissions

20-03-2021 14:00

210320-n9nmylwvyx 10

Analysis

max time kernel
105s
max time network
105s
platform
windows10_x64
resource
win10v20201028
submitted
20-03-2021 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vpn.exe
Size

1.1MB
MD5

025b474dae9f402be5568f96426fe1ec
SHA1

c586839de389951b5048272ebe40b33902db40eb
SHA256

6c94ef12be12667362545a64c325e125ba3647e58276faa93c663432f07d1ab0
SHA512

b2f604f248f960e6a01ea3065545fa53bb43f17ef5b9077732d481acafdfb367b9ddc97beb618a067d843c7ffa9280d480b0f493f0b94d864f354e1e130100bd

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

29 720 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

Sei.exe.comSei.exe.comuvfjbefrcyn.exe

pid process

2136 Sei.exe.com
2216 Sei.exe.com
188 uvfjbefrcyn.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
29	720	WScript.exe

pid	process
2136	Sei.exe.com
2216	Sei.exe.com
188	uvfjbefrcyn.exe

flow	ioc
14	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sei.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sei.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sei.exe.com

Modifies registry class 1 IoCs

Processes:

Sei.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Sei.exe.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Sei.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Sei.exe.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sei.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sei.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

584 PING.EXE

pid	process
584	PING.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

vpn.execmd.execmd.exeSei.exe.comSei.exe.com

description	pid	process	target process
PID 1456 wrote to memory of 2680	1456	vpn.exe	cmd.exe
PID 1456 wrote to memory of 2680	1456	vpn.exe	cmd.exe
PID 1456 wrote to memory of 2680	1456	vpn.exe	cmd.exe
PID 2680 wrote to memory of 3560	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 3560	2680	cmd.exe	cmd.exe
PID 2680 wrote to memory of 3560	2680	cmd.exe	cmd.exe
PID 3560 wrote to memory of 4068	3560	cmd.exe	findstr.exe
PID 3560 wrote to memory of 4068	3560	cmd.exe	findstr.exe
PID 3560 wrote to memory of 4068	3560	cmd.exe	findstr.exe
PID 3560 wrote to memory of 2136	3560	cmd.exe	Sei.exe.com
PID 3560 wrote to memory of 2136	3560	cmd.exe	Sei.exe.com
PID 3560 wrote to memory of 2136	3560	cmd.exe	Sei.exe.com
PID 3560 wrote to memory of 584	3560	cmd.exe	PING.EXE
PID 3560 wrote to memory of 584	3560	cmd.exe	PING.EXE
PID 3560 wrote to memory of 584	3560	cmd.exe	PING.EXE
PID 2136 wrote to memory of 2216	2136	Sei.exe.com	Sei.exe.com
PID 2136 wrote to memory of 2216	2136	Sei.exe.com	Sei.exe.com
PID 2136 wrote to memory of 2216	2136	Sei.exe.com	Sei.exe.com
PID 2216 wrote to memory of 188	2216	Sei.exe.com	uvfjbefrcyn.exe
PID 2216 wrote to memory of 188	2216	Sei.exe.com	uvfjbefrcyn.exe
PID 2216 wrote to memory of 188	2216	Sei.exe.com	uvfjbefrcyn.exe
PID 2216 wrote to memory of 2668	2216	Sei.exe.com	WScript.exe
PID 2216 wrote to memory of 2668	2216	Sei.exe.com	WScript.exe
PID 2216 wrote to memory of 2668	2216	Sei.exe.com	WScript.exe
PID 2216 wrote to memory of 720	2216	Sei.exe.com	WScript.exe
PID 2216 wrote to memory of 720	2216	Sei.exe.com	WScript.exe
PID 2216 wrote to memory of 720	2216	Sei.exe.com	WScript.exe

C:\Users\Admin\AppData\Local\Temp\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\vpn.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CmD < Muto.ppsx
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
CmD
3⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^vajPQtXXzHEBktaqYJxMbcgAtBjRfvlcZbbEMXGsnfobkQPlvBBmZopqrMKgSuHXbpCNGOhwerhihRghLexOUKcRgbAqjsmaIkZegeDIgAvVUwNjbvCPLTrMOLnp$" Settala.ppsx
4⤵
PID:4068

C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
Sei.exe.com R
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com R
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\uvfjbefrcyn.exe
"C:\Users\Admin\AppData\Local\Temp\uvfjbefrcyn.exe"
6⤵
- Executes dropped EXE
PID:188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\huqvcjtnyim.vbs"
6⤵
PID:2668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rpdshkxcd.vbs"
6⤵
- Blocklisted process makes network request
PID:720

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
b63eb2568d0b7558d1c9f0b67ec8406e

SHA1
ff2099aceb959ded8054e22e92791481f8415acb

SHA256
5dd0d417d323f8989ef8bb77347977a3b507d31a805dc05bd3ee0a0a4f4c02d8

SHA512
296a2936ef9f0bbffb61d18637b3eb708de24dc033dfe83b9a98c30eabeeba6ff0687184a194a1fd55e732c45041c1f95cc049c6c3eb394998d379baba7c7937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
8f7b603e746e4cbe1ea09d21b3b5691b

SHA1
6d412f5e38710c70472e326a5af314c7908709a0

SHA256
fd486c32c6aa9bcb6aa028c03c2b4b6b0e13b88fcf90d38788f7620c8a53fae8

SHA512
f9606513716073b3c2d20b9b8b4067f9306b51a8966bea7d9057dd85b37b875ea7cb42b03822b3d7280be0900512e5031a18c245dbbb984575fc76af130d5487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
1af85805af0d70f3bfb55ebebec82f96

SHA1
c7e9a36e08617e78fca06639596f3fa294f504d2

SHA256
6883f304bace5a47ac9924cb9caca2c0de34b829b16c69ab0352c599aa5acefa

SHA512
12b9d94093cfab3ae30e38eba7f3f7f30d1cfce5c20c8d2cd1bb638197256f7a4c460c9667c3e0aa0869f73a8591517ba462f47c385363d3fad5dfd062c78f8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
53ff27f3165cb3b2a2983ed316bfdcad

SHA1
925f3c2200ca42744a8b129243bca0b59c5102c0

SHA256
2085b8b869703c5a661786ad7934a0dad605ac424c0c9643fce96603f8cc1640

SHA512
8e99576014c83166b242f9db013296879aa690c7dbd6f04a9942ec4d18407f96dc7d3d926ee9451f30a41603d5dc19531ad5fc664cad7a427111a6cc0743f911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
076ae7041945de67da484ee93be7c5ea

SHA1
b2af14d3c413ddc9182ef78bbd8bff2a5a07184a

SHA256
4964600c1f86e3b1b8d2001f858bc69ac5e76532725299cd2c062aa0042fb383

SHA512
5fd87bcf2c0efc5a59effe25ba4ba5f1b64f795af2e94a5d793b1ab4387659edf15132719f7cf918df1321834efcc0e28c13e9b3e764bff908dd7b8ca55d7fe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
64cf556f1ad28f4b90be06b4bc196f0c

SHA1
8bb60e56976bcf1b0681eaae1ee911188d3923bc

SHA256
0540f63ed7f53ca6ac4b03a5687ab6439dcefd2a8be894bc40008b64ee2c4318

SHA512
42d8a8d188fdc02d1877e77ada2d96947b1f73f4d972fa3e47f5d6962b906623b18e119c280f521dd32fd835bf7ff12ef25811efa5e46d33dd7e39de41ce4583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IM2CIJWM.cookie
MD5
e1a3f4d2ad62de3857b3ebd8289249bc

SHA1
fe84075e974fbccb6bd21df57df3421eb8468033

SHA256
c7921281e2d37e34762750d08f11bbd00a35c7b383099e27db17f9210a337dd5

SHA512
42ca8f344e0fbcb6ef5873a4d6bb02c9a6440f74d0de1ef0caf35bdc5d6e96d4dd2301257a22f0621e9e90fdcda02b2aa21f869578d186306a43a5202fed3afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\huqvcjtnyim.vbs
MD5
09cfb522bed0438c87ac8764008faac9

SHA1
e54ae85e035f4aba9818e060c0159fe2f16d1301

SHA256
78b0f0e9792b93e8edb359739053b07f622b155827386f9457f0e21d2274d8cd

SHA512
971ce9e87ddf716911a9c9bc6bb9218eb58465b1c50f2cb4cf3b33b0e4edefb5901f3b41458513eea4c59a50ab3139540e14e0608f9200b11325393bede6752d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpdshkxcd.vbs
MD5
a2409d0b659004461cdb5ac64162a16e

SHA1
2111464c4e2533f738387c5a014121626dcb2dc9

SHA256
b4c48d83fd68915e8b4f83f4ff1d55193f238aa01959a229b7c7dd0c3f124fb7

SHA512
a70f760b921f0333e2b7604239706cea7c29df030693054df9a1c768ff438ffcf84bedac9bdc841e1ece7b089e3760a5ff57ddc9234d48ea843fbaa1e40160c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvfjbefrcyn.exe
MD5
5794875a894c319563b8fe923f0063a2

SHA1
d8ffeef5315fd61df3e9cda4c1446b7b7e24f765

SHA256
55a488e69b8d887aaf0bd9cdaad7314c42ef387174a9a09be3e5724c1b8da07c

SHA512
029622b22d8584ad860aafd236c381fbd9be6b9b67e28635e164bd71326a2ff6014ff18f6c18126dc1be42f9befbc9adf7f853c98556f2fe1e7e578003076d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvfjbefrcyn.exe
MD5
5794875a894c319563b8fe923f0063a2

SHA1
d8ffeef5315fd61df3e9cda4c1446b7b7e24f765

SHA256
55a488e69b8d887aaf0bd9cdaad7314c42ef387174a9a09be3e5724c1b8da07c

SHA512
029622b22d8584ad860aafd236c381fbd9be6b9b67e28635e164bd71326a2ff6014ff18f6c18126dc1be42f9befbc9adf7f853c98556f2fe1e7e578003076d3b

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Arrossendo.ppsx
MD5
6564b65095baeea2cb63bed24cc1850a

SHA1
b4b46e41da33d2e45b8682610bb889202596be78

SHA256
58822a2314d5fa32d323b67df0ffdc8854b73cc7d3e63d6c867b02ad1cb2de57

SHA512
814e0863874b874c8c225d4ba7d32e5395d59268df1c0f11a9bf6a4c70b0c3a21b82f8dd8da5e8a2c3a3b0e1942679680bc653e5db3e9f73f9eb5d334e33b555

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Dov.ppsx
MD5
5c716b5c5a0f0acdee592e37de828747

SHA1
7bf8666655cc417adfc8603d42bccaedc9dd02d7

SHA256
9cb5ec6461309e5df60984802a0ac776c9998046367f4f5ac16a1b6677a75faf

SHA512
61ce4e30d06f3a8ee10dadda076c94eaab42cbd8268cd8add18083df4c426fac9ede98206717e92187f5ddb53c15c60313a0b40b32d3d42e00f902f2c94aa061

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Muto.ppsx
MD5
be2686eaeb2ddb9aa58d46e3092f8a67

SHA1
b0d2f08593de8e4531007cbceeee213013ae1428

SHA256
f3e010e9cc18db185e2ad285334d0c37d453693c2ab1cd5dd3e48b7bc914e7b4

SHA512
3d6eacc7a8f1d74d47c75fd67bb50932715482510fdb493fc08192180ed629fc72cc1eee01410c655343c3cc35d9895d60882dca1419393518a259cad5952199

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\R
MD5
6564b65095baeea2cb63bed24cc1850a

SHA1
b4b46e41da33d2e45b8682610bb889202596be78

SHA256
58822a2314d5fa32d323b67df0ffdc8854b73cc7d3e63d6c867b02ad1cb2de57

SHA512
814e0863874b874c8c225d4ba7d32e5395d59268df1c0f11a9bf6a4c70b0c3a21b82f8dd8da5e8a2c3a3b0e1942679680bc653e5db3e9f73f9eb5d334e33b555

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Settala.ppsx
MD5
db3c5fbd6832bcb620a393ad09a4d31c

SHA1
95ba32b54c8ab0e6df40af139d659e776ec6a6cb

SHA256
51dae8e5e7b84b5426cb6e4ee22f6d532783a566b1f7542df611b995ec281ee8

SHA512
f4526d330bea1eb7aa8e688936c3a2b6ac6e59e045e66c15f865011f5de604824b6811928f75d84c3f7ad95665556c6ad7ef984c1b2e02a0a12c238b6d0e4d54

Download Submit
memory/188-16-0x0000000000000000-mapping.dmp

Download
memory/188-21-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/188-22-0x0000000003A90000-0x0000000004187000-memory.dmp

Filesize
7.0MB

Download
memory/188-24-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/188-23-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/584-11-0x0000000000000000-mapping.dmp

Download
memory/720-25-0x0000000000000000-mapping.dmp

Download
memory/2136-8-0x0000000000000000-mapping.dmp

Download
memory/2216-12-0x0000000000000000-mapping.dmp

Download
memory/2216-15-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/2668-19-0x0000000000000000-mapping.dmp

Download
memory/2680-2-0x0000000000000000-mapping.dmp

Download
memory/3560-4-0x0000000000000000-mapping.dmp

Download
memory/4068-5-0x0000000000000000-mapping.dmp

Download