APP.exe.zip

General
Target

APP.exe

Filesize

5MB

Completed

24-09-2021 01:18

Score
10/10
Malware Config

Extracted

Path C:\HOW_TO_RECOVER_FILES.Colossus.txt
Family colossus
Ransom Note
[+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have "Colossus" extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should come to talk to us we can decrypt one of your files for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. time is much more valuable than money. [+] Data Leak [+] We uploaded your data and if you dont contact with us then we will publish your data. Example of data: - Accounting data - Executive data - Sales data - Customer support data - Marketing data - And more other ... [+] How to Contact? [+] You have two options : 1. Chat with me : -Visit our website: http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/ -When you visit our website, put the following KEY into the input form. -Then start talk to me. 2. Email me at : colossussupport@protonmail.com KEY: MjdhZDUzM2Y3MTVhZmUxZjI2NTk2ZGM4YjVhN2EwMDEzODk2M2ZhNWEzMGU2Mjc5MTU4ODFjYjhiNWE3YTAwMTM4OTYzZmE1YTMwZTYyNzkxNTg4MWNiZmRkNDkwNDhiNzA0MjVhNGU0YTc0N2FhYzY0MWU5MTFjODY3M2RhZGQ= !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we ready to make everything for restoring but please do not interfere. !!! !!! !!
Emails

colossussupport@protonmail.com

URLs

http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/

Signatures 12

Filter: none

Defense Evasion
Discovery
Lateral Movement
  • Colossus

    Description

    Ransomware discovered by ZeroFox.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Checks BIOS information in registry
    APP.exeAPP.exeAPP.exeAPP.exeAPP.exeAPP.exeAPP.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionAPP.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionAPP.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/2544-114-0x0000000000210000-0x0000000000EEB000-memory.dmpthemida
    behavioral1/memory/2324-183-0x0000000000210000-0x0000000000EEB000-memory.dmpthemida
    behavioral1/memory/3680-226-0x0000000000210000-0x0000000000EEB000-memory.dmpthemida
    behavioral1/memory/2204-229-0x0000000000210000-0x0000000000EEB000-memory.dmpthemida
    behavioral1/memory/3788-232-0x0000000000210000-0x0000000000EEB000-memory.dmpthemida
    behavioral1/memory/1844-235-0x0000000000210000-0x0000000000EEB000-memory.dmpthemida
    behavioral1/memory/2260-238-0x0000000000210000-0x0000000000EEB000-memory.dmpthemida
  • Checks whether UAC is enabled
    APP.exeAPP.exeAPP.exeAPP.exeAPP.exeAPP.exeAPP.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAAPP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAAPP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAAPP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAAPP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAAPP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAAPP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAAPP.exe
  • Drops desktop.ini file(s)
    APP.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\desktop.iniAPP.exe
    File opened for modificationC:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.iniAPP.exe
    File opened for modificationC:\Users\Public\desktop.iniAPP.exe
    File opened for modificationC:\Windows\Downloaded Program Files\desktop.iniAPP.exe
    File opened for modificationC:\Windows\Fonts\desktop.iniAPP.exe
    File opened for modificationC:\Program Files\desktop.iniAPP.exe
  • Drops autorun.inf file

    Description

    Malware can abuse Windows Autorun to spread further via attached volumes.

    TTPs

    Replication Through Removable Media
  • Drops file in Program Files directory
    APP.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Internet Explorer\IEShims.dllAPP.exe
    File opened for modificationC:\Program Files\InvokeGet.pubAPP.exe
    File opened for modificationC:\Program Files\Windows Defender\MpCmdRun.exeAPP.exe
    File opened for modificationC:\Program Files\Windows Defender\AmStatusInstall.mofAPP.exe
    File opened for modificationC:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exeAPP.exe
    File opened for modificationC:\Program Files\Windows Mail\oeimport.dllAPP.exe
    File opened for modificationC:\Program Files\Windows Multimedia Platform\sqmapi.dllAPP.exe
    File opened for modificationC:\Program Files (x86)\Internet Explorer\iexplore.exeAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeAPP.exe
    File opened for modificationC:\Program Files\7-Zip\descript.ionAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\firefox.exe.sigAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\updater.iniAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\maintenanceservice.exeAPP.exe
    File opened for modificationC:\Program Files\Windows Defender\MpUXSrv.exeAPP.exe
    File opened for modificationC:\Program Files\ResizeMerge.midAPP.exe
    File opened for modificationC:\Program Files\ResetMeasure.oggAPP.exe
    File opened for modificationC:\Program Files\ShowExit.midAPP.exe
    File opened for modificationC:\Program Files\MoveConvert.mpegAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dllAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dllAPP.exe
    File opened for modificationC:\Program Files\Windows Media Player\mpvis.DLLAPP.exe
    File opened for modificationC:\Program Files\Windows Mail\wabimp.dllAPP.exe
    File opened for modificationC:\Program Files\Windows Media Player\WMPMediaSharing.dllAPP.exe
    File opened for modificationC:\Program Files\Windows Photo Viewer\PhotoViewer.dllAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Mail\MSOERES.dllAPP.exe
    File opened for modificationC:\Program Files\BackupFormat.odtAPP.exe
    File createdC:\Program Files\Uninstall Information\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\mozglue.dllAPP.exe
    File opened for modificationC:\Program Files\Windows Defender\ClientWMIInstall.mofAPP.exe
    File createdC:\Program Files (x86)\Reference Assemblies\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Media Player\setup_wm.exeAPP.exe
    File opened for modificationC:\Program Files\PingUnblock.mpeg3APP.exe
    File opened for modificationC:\Program Files\Internet Explorer\iexplore.exeAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\crashreporter.exeAPP.exe
    File opened for modificationC:\Program Files\Windows Defender\FepUnregister.mofAPP.exe
    File createdC:\Program Files\WindowsPowerShell\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Program Files\Internet Explorer\ielowutil.exeAPP.exe
    File opened for modificationC:\Program Files\Windows Defender\MpOAV.dllAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Defender\MpClient.dllAPP.exe
    File opened for modificationC:\Program Files\OptimizePop.3g2APP.exe
    File opened for modificationC:\Program Files\Windows Defender\AMMonitoringProvider.dllAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Media Player\wmpshare.exeAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Mail\oeimport.dllAPP.exe
    File opened for modificationC:\Program Files\StartUnpublish.tmpAPP.exe
    File opened for modificationC:\Program Files\7-Zip\License.txtAPP.exe
    File createdC:\Program Files\Internet Explorer\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\plugin-hang-ui.exeAPP.exe
    File createdC:\Program Files\Windows NT\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exeAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\firefox.exeAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xmlAPP.exe
    File opened for modificationC:\Program Files\Windows Defender\NisWfp.dllAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Mail\WinMail.exeAPP.exe
    File createdC:\Program Files (x86)\Windows NT\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dllAPP.exe
    File opened for modificationC:\Program Files\Windows Media Player\wmpnssci.dllAPP.exe
    File createdC:\Program Files (x86)\Windows Mail\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Media Player\wmprph.exeAPP.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dllAPP.exe
    File opened for modificationC:\Program Files\Windows Defender\shellext.dllAPP.exe
    File opened for modificationC:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeAPP.exe
    File opened for modificationC:\Program Files\Windows Media Player\wmpnscfg.exeAPP.exe
    File opened for modificationC:\Program Files (x86)\Mozilla Maintenance Service\updater.iniAPP.exe
    File opened for modificationC:\Program Files (x86)\Windows Defender\MpOAV.dllAPP.exe
  • Drops file in Windows directory
    APP.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Cursors\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Windows\Fonts\palai.ttfAPP.exe
    File opened for modificationC:\Windows\Fonts\corbelz.ttfAPP.exe
    File opened for modificationC:\Windows\INF\tdibth.infAPP.exe
    File opened for modificationC:\Windows\INF\netrtl64.infAPP.exe
    File opened for modificationC:\Windows\INF\swenum.infAPP.exe
    File opened for modificationC:\Windows\INF\wsdprint.infAPP.exe
    File opened for modificationC:\Windows\Fonts\ega40866.fonAPP.exe
    File opened for modificationC:\Windows\Fonts\vgafix.fonAPP.exe
    File opened for modificationC:\Windows\INF\mdmgl008.infAPP.exe
    File opened for modificationC:\Windows\INF\mdmmhrtz.infAPP.exe
    File opened for modificationC:\Windows\INF\mgtdyn.infAPP.exe
    File opened for modificationC:\Windows\INF\prnms005.infAPP.exe
    File opened for modificationC:\Windows\INF\wfpcapture.infAPP.exe
    File opened for modificationC:\Windows\Cursors\busy_m.curAPP.exe
    File opened for modificationC:\Windows\Fonts\holomdl2.ttfAPP.exe
    File opened for modificationC:\Windows\INF\WpdFs.infAPP.exe
    File opened for modificationC:\Windows\INF\bthhfenum.PNFAPP.exe
    File opened for modificationC:\Windows\INF\oposdrv.infAPP.exe
    File opened for modificationC:\Windows\Fonts\vgas1255.fonAPP.exe
    File opened for modificationC:\Windows\INF\mchgr.infAPP.exe
    File opened for modificationC:\Windows\INF\mdmcpq.infAPP.exe
    File opened for modificationC:\Windows\BitLockerDiscoveryVolumeContents\bg-BG_BitLockerToGo.exe.muiAPP.exe
    File opened for modificationC:\Windows\BitLockerDiscoveryVolumeContents\en-US_BitLockerToGo.exe.muiAPP.exe
    File createdC:\Windows\Branding\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Windows\Cursors\aero_busy_xl.aniAPP.exe
    File opened for modificationC:\Windows\Fonts\smaf1255.fonAPP.exe
    File opened for modificationC:\Windows\INF\tsusbhubfilter.infAPP.exe
    File opened for modificationC:\Windows\BitLockerDiscoveryVolumeContents\uk-UA_BitLockerToGo.exe.muiAPP.exe
    File opened for modificationC:\Windows\Cursors\aero_nesw_l.curAPP.exe
    File opened for modificationC:\Windows\Fonts\ega80866.fonAPP.exe
    File opened for modificationC:\Windows\INF\netwsw00.infAPP.exe
    File opened for modificationC:\Windows\Fonts\85f1257.fonAPP.exe
    File opened for modificationC:\Windows\INF\mdmcpv.infAPP.exe
    File opened for modificationC:\Windows\INF\iagpio.infAPP.exe
    File opened for modificationC:\Windows\INF\ksfilter.PNFAPP.exe
    File opened for modificationC:\Windows\INF\mdmmega.infAPP.exe
    File opened for modificationC:\Windows\HOW_TO_RECOVER_FILES.Colossus.txtAPP.exe
    File opened for modificationC:\Windows\Fonts\StaticCache.datAPP.exe
    File opened for modificationC:\Windows\Fonts\seriff.fonAPP.exe
    File opened for modificationC:\Windows\Fonts\ssef1255.fonAPP.exe
    File opened for modificationC:\Windows\INF\c_printer.infAPP.exe
    File opened for modificationC:\Windows\INF\ndiscap.infAPP.exe
    File opened for modificationC:\Windows\Fonts\cga80852.fonAPP.exe
    File opened for modificationC:\Windows\Fonts\georgiai.ttfAPP.exe
    File opened for modificationC:\Windows\Fonts\himalaya.ttfAPP.exe
    File opened for modificationC:\Windows\Fonts\vgafixr.fonAPP.exe
    File opened for modificationC:\Windows\INF\c_extension.infAPP.exe
    File opened for modificationC:\Windows\Cursors\lmove.curAPP.exe
    File opened for modificationC:\Windows\Fonts\arial.ttfAPP.exe
    File opened for modificationC:\Windows\INF\c_holographic.infAPP.exe
    File opened for modificationC:\Windows\INF\flpydisk.PNFAPP.exe
    File opened for modificationC:\Windows\INF\netl1c63x64.infAPP.exe
    File opened for modificationC:\Windows\INF\usbhub3.infAPP.exe
    File opened for modificationC:\Windows\HelpPane.exeAPP.exe
    File opened for modificationC:\Windows\Cursors\size2_rm.curAPP.exe
    File opened for modificationC:\Windows\Fonts\serifee.fonAPP.exe
    File opened for modificationC:\Windows\INF\kscaptur.infAPP.exe
    File opened for modificationC:\Windows\INF\oem1.infAPP.exe
    File opened for modificationC:\Windows\INF\ufxsynopsys.PNFAPP.exe
    File opened for modificationC:\Windows\INF\urschipidea.infAPP.exe
    File opened for modificationC:\Windows\lsasetup.logAPP.exe
    File opened for modificationC:\Windows\Cursors\arrow_rl.curAPP.exe
    File opened for modificationC:\Windows\Fonts\vgasysr.fonAPP.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    772powershell.exe
    772powershell.exe
    772powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege772powershell.exe
  • Suspicious use of WriteProcessMemory
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 772 wrote to memory of 2324772powershell.exeAPP.exe
    PID 772 wrote to memory of 2324772powershell.exeAPP.exe
    PID 772 wrote to memory of 3680772powershell.exeAPP.exe
    PID 772 wrote to memory of 3680772powershell.exeAPP.exe
    PID 772 wrote to memory of 2204772powershell.exeAPP.exe
    PID 772 wrote to memory of 2204772powershell.exeAPP.exe
    PID 772 wrote to memory of 3788772powershell.exeAPP.exe
    PID 772 wrote to memory of 3788772powershell.exeAPP.exe
    PID 772 wrote to memory of 1844772powershell.exeAPP.exe
    PID 772 wrote to memory of 1844772powershell.exeAPP.exe
    PID 772 wrote to memory of 2260772powershell.exeAPP.exe
    PID 772 wrote to memory of 2260772powershell.exeAPP.exe
Processes 9
  • C:\Users\Admin\AppData\Local\Temp\APP.exe
    "C:\Users\Admin\AppData\Local\Temp\APP.exe"
    Checks BIOS information in registry
    Checks whether UAC is enabled
    PID:2544
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:3568
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:772
    • C:\Users\Admin\AppData\Local\Temp\APP.exe
      "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8
      Checks BIOS information in registry
      Checks whether UAC is enabled
      PID:2324
    • C:\Users\Admin\AppData\Local\Temp\APP.exe
      "C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 c:\
      Checks BIOS information in registry
      Checks whether UAC is enabled
      PID:3680
    • C:\Users\Admin\AppData\Local\Temp\APP.exe
      "C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 c:\
      Checks BIOS information in registry
      Checks whether UAC is enabled
      PID:2204
    • C:\Users\Admin\AppData\Local\Temp\APP.exe
      "C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 *
      Checks BIOS information in registry
      Checks whether UAC is enabled
      PID:3788
    • C:\Users\Admin\AppData\Local\Temp\APP.exe
      "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 *
      Checks BIOS information in registry
      Checks whether UAC is enabled
      PID:1844
    • C:\Users\Admin\AppData\Local\Temp\APP.exe
      "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 C:\
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:2260
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini

                      MD5

                      490bc15f3d6a9308d4ff2a4072d408c6

                      SHA1

                      94c5c008a560e50af42c424ad135ff35f0cebb52

                      SHA256

                      436d5bcd24eab5f89d39b4b503143506e276ec4d10427bc9d833b662c6e28200

                      SHA512

                      ac163fc764fdebdd1a5018c7a44aafb935739a41aafbfce77a2246214756c7dc9c23a45d62c25f5cfddf411efb1e304d2c33caae683c422fad72ddf0dc2b3634

                    • memory/772-161-0x000001ABD8AC0000-0x000001ABD8AC1000-memory.dmp

                    • memory/772-120-0x000001ABD85E0000-0x000001ABD85E1000-memory.dmp

                    • memory/772-136-0x000001ABBFEA0000-0x000001ABBFEA2000-memory.dmp

                    • memory/772-138-0x000001ABBFEA3000-0x000001ABBFEA5000-memory.dmp

                    • memory/772-139-0x000001ABD8A80000-0x000001ABD8A81000-memory.dmp

                    • memory/772-150-0x000001ABD8B40000-0x000001ABD8B41000-memory.dmp

                    • memory/772-170-0x000001ABBFEA6000-0x000001ABBFEA8000-memory.dmp

                    • memory/772-171-0x000001ABBFEA8000-0x000001ABBFEA9000-memory.dmp

                    • memory/1844-235-0x0000000000210000-0x0000000000EEB000-memory.dmp

                    • memory/1844-234-0x0000000000000000-mapping.dmp

                    • memory/2204-228-0x0000000000000000-mapping.dmp

                    • memory/2204-229-0x0000000000210000-0x0000000000EEB000-memory.dmp

                    • memory/2260-237-0x0000000000000000-mapping.dmp

                    • memory/2260-238-0x0000000000210000-0x0000000000EEB000-memory.dmp

                    • memory/2324-182-0x0000000000000000-mapping.dmp

                    • memory/2324-183-0x0000000000210000-0x0000000000EEB000-memory.dmp

                    • memory/2544-115-0x0000000000211000-0x00000000002F7000-memory.dmp

                    • memory/2544-114-0x0000000000210000-0x0000000000EEB000-memory.dmp

                    • memory/3680-226-0x0000000000210000-0x0000000000EEB000-memory.dmp

                    • memory/3680-225-0x0000000000000000-mapping.dmp

                    • memory/3788-232-0x0000000000210000-0x0000000000EEB000-memory.dmp

                    • memory/3788-231-0x0000000000000000-mapping.dmp