8e4ec19445eb1409c602b0956c196f4943189bfd2a4dc230d7cf31c3be4ae277

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-en-20211014
submitted
07-11-2021 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe
Size

5.4MB
MD5

b4b62cc70409c96442250f701259df0e
SHA1

573cc145d8c3e9e63a2d033fd7082e147088ceb6
SHA256

72a4f42e3a2aba89a433727fb5e9e26b163f3bc7872a1ffc1b21d73244ebf42b
SHA512

6b99b5ba389dc8bd7df0722a3392def93f29e5854fd695f72d99d1525da531b6990f375f0d4099789a576b1c43e70cf68b5fb6e1940505bbf557377e92bb1aa6

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.iobit.com/downloadcenter.php?product=nl-advanced-uninstaller

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 920 powershell.exe
6 920 powershell.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exe

pid process

1532 takeown.exe

flow	pid	process
5	920	powershell.exe
6	920	powershell.exe

pid	process
1532	takeown.exe

Drops file in Program Files directory 2 IoCs

Processes:

xcopy.exe

description	ioc	process
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\version.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\version.dll	xcopy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

960 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1260 taskkill.exe
460 taskkill.exe
300 taskkill.exe
1948 taskkill.exe
1320 taskkill.exe
1416 taskkill.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1480 powershell.exe
1480 powershell.exe
1480 powershell.exe
1480 powershell.exe
920 powershell.exe

pid	process
960	timeout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
1260	taskkill.exe
460	taskkill.exe
300	taskkill.exe
1948	taskkill.exe
1320	taskkill.exe
1416	taskkill.exe

pid	process
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
920	powershell.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetakeown.exepowershell.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeTakeOwnershipPrivilege	1532	takeown.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	300	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.execmd.exepowershell.execsc.execmd.exe

description	pid	process	target process
PID 372 wrote to memory of 564	372	72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe	cmd.exe
PID 372 wrote to memory of 564	372	72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe	cmd.exe
PID 372 wrote to memory of 564	372	72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe	cmd.exe
PID 372 wrote to memory of 564	372	72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe	cmd.exe
PID 372 wrote to memory of 564	372	72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe	cmd.exe
PID 372 wrote to memory of 564	372	72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe	cmd.exe
PID 372 wrote to memory of 564	372	72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe	cmd.exe
PID 564 wrote to memory of 1480	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1480	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1480	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1480	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1480	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1480	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1480	564	cmd.exe	powershell.exe
PID 1480 wrote to memory of 1864	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1864	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1864	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1864	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1864	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1864	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1864	1480	powershell.exe	csc.exe
PID 1864 wrote to memory of 1396	1864	csc.exe	cvtres.exe
PID 1864 wrote to memory of 1396	1864	csc.exe	cvtres.exe
PID 1864 wrote to memory of 1396	1864	csc.exe	cvtres.exe
PID 1864 wrote to memory of 1396	1864	csc.exe	cvtres.exe
PID 1864 wrote to memory of 1396	1864	csc.exe	cvtres.exe
PID 1864 wrote to memory of 1396	1864	csc.exe	cvtres.exe
PID 1864 wrote to memory of 1396	1864	csc.exe	cvtres.exe
PID 564 wrote to memory of 1956	564	cmd.exe	mode.com
PID 564 wrote to memory of 1956	564	cmd.exe	mode.com
PID 564 wrote to memory of 1956	564	cmd.exe	mode.com
PID 564 wrote to memory of 1956	564	cmd.exe	mode.com
PID 564 wrote to memory of 1956	564	cmd.exe	mode.com
PID 564 wrote to memory of 1956	564	cmd.exe	mode.com
PID 564 wrote to memory of 1956	564	cmd.exe	mode.com
PID 564 wrote to memory of 1764	564	cmd.exe	cmd.exe
PID 564 wrote to memory of 1764	564	cmd.exe	cmd.exe
PID 564 wrote to memory of 1764	564	cmd.exe	cmd.exe
PID 564 wrote to memory of 1764	564	cmd.exe	cmd.exe
PID 564 wrote to memory of 1764	564	cmd.exe	cmd.exe
PID 564 wrote to memory of 1764	564	cmd.exe	cmd.exe
PID 564 wrote to memory of 1764	564	cmd.exe	cmd.exe
PID 1764 wrote to memory of 1772	1764	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 1772	1764	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 1772	1764	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 1772	1764	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 1772	1764	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 1772	1764	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 1772	1764	cmd.exe	WMIC.exe
PID 564 wrote to memory of 1416	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1416	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1416	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1416	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1416	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1416	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1416	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1260	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1260	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1260	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1260	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1260	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1260	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1260	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 460	564	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe
"C:\Users\Admin\AppData\Local\Temp\72A4F42E3A2ABA89A433727FB5E9E26B163F3BC7872A1FFC1B21D73244EBF42B.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmd" /S"
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile "iex (${C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmd} | out-string)"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hrfpjxck.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE4E3.tmp"
5⤵
PID:1396

C:\Windows\SysWOW64\mode.com
mode 132,39
3⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get OSLanguage /Value
3⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic os get OSLanguage /Value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im IObitUninstaler.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im IUService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im UninstallMonitor.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Program Files (x86)\IObit\IObit Uninstaller\version.dll"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoLogo -NoProfile -NonInteractive -Command "$ErrorActionPreference = 'SilentlyContinue'; (New-Object System.Net.WebClient).DownloadFile('https://www.iobit.com/downloadcenter.php?product=nl-advanced-uninstaller', \"C:\Users\Admin\Desktop\IObit Uninstaller Pro by Vinny27\setup.exe\")"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\timeout.exe
timeout /T 20 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im IObitUninstaler.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im IUService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im UninstallMonitor.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\xcopy.exe
"xcopy.exe" "Vinny27\version.dll" "C:\Program Files (x86)\IObit\IObit Uninstaller\" /s /i /r /v /k /f /c /h /y
3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE4F3.tmp
MD5
dc80ce12fd3e80232e864ffb013f6994

SHA1
d29804288ef54d08f8214d2d0ace98bc5d3a700e

SHA256
425d5df927a357e69ca2683bfbef4c989f2f4c4213bb7c16648c23de643ed953

SHA512
b95bd6f31b5f5b49786cd595a20a4544708f6d556586dc58773fa4a293b352d40495e0e3d1dd0f1f217f9fe1fead7db64757660f605967d1ca37ce0f41f59597

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmd
MD5
fdc00c626637cfa125dd5cde91c2b9fb

SHA1
4c64c02b6536b84ad31f017f581369f6561772e1

SHA256
13718f401f4d50a63b0989ceca0db82146e889f4d71d363142e1d87cc1a8688f

SHA512
07d1c6afae5d7eda1a5f73ceca0d36ad2fd95e05812c925bb782f5ad6198fcf3684e414681ecd460a40ab18b14bf74be8f94846b2831908d62020784f45a06f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27\version.dll
MD5
cc165af6a6e4978c66a86b25cf58b92b

SHA1
3767e079d784c5a2b5088de7c172da1c1bf63daf

SHA256
4e12ff9a72b7c2357f46ef645400cb6311330ced73ee787244c85ba7c57e8c8e

SHA512
29ed9563b901b818e69b17861ed55c8e0866f535ead9e1e67926ccaf587bbf00270b088111627a56795f1aff2ba9fab6c01407fa436cea81163e2db958304623

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrfpjxck.dll
MD5
7c9c0ec2fc5046dd0faa601e51e27928

SHA1
97029cbe66285b9991bc196034425f16d63d1a7f

SHA256
a5bb6a21863420109076ed4e1616be54363aedf619d7b02fa2949dd222c52d21

SHA512
c790e7bb576a7f22246d8f7b8fd72b3f00117cea6585566127f66d2438673cbb23c2e4a4cd2832b0e2f1350a2ef35b0c6ea4e9a05c7a5c3991e64168c91c7828

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrfpjxck.pdb
MD5
05b6650bfd06a2e5fb24c3924274ed60

SHA1
5dec6605f9bf08f417f51d0dcdd978e117935901

SHA256
5db5d9aac0bcd4aec41df516cd1a7439461ce11163bd9d078dc24478bd24a3aa

SHA512
a407d42eb71f289ff1da7b1cf0b076788b387d14cb0cfb2cc6411f3a7191baa59f9cb628c8d9ad835b74d3a85d3370db9bc1a66bc584a8cf3d68d3894c5b09f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
73105f9b44b187ed9e3a64b9eaf4895b

SHA1
815d96b3b55d986c8b3ac9d182e64808b291abdc

SHA256
9741745f44e2b846b89e876e542646af240e95bd6cd65dad3c514afb00654d95

SHA512
97b9e8e82c40c357dd81d5fb83b161b95d9a32c4f6e881c6df6b7adafdf3c7f3bcbe7171ed9002f704e41293b4b98125b8b8a49adcf81f8ea39a5494d1b1040c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE4E3.tmp
MD5
0d1f56e746b21967203afd9bf155a660

SHA1
4c00d14a649b3ae2e13fd31665bef119036aa015

SHA256
13d832f7a1a8ef652f6f970fd1a1092a7727fc12c5438cd02456c61a352fe658

SHA512
dd9d5b0c2877e5938181e9750015dd2c2bf0e665b5739378c5a26d84a8ce51cd86c00808c7a20ca404c0fbab47d72827e11a94d55de3c3df1aa7977aa0880afb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hrfpjxck.0.cs
MD5
86e01143b4a1fa765a72bccf8ee600e7

SHA1
72ca5d63008bda858c155a46923faf90a42add97

SHA256
8d3dca050128a83e6ed0e26c8fa56131265f6daee1949c1c53d5b4dfa08d4e7c

SHA512
81f66cef29071311f7c42c896c0301fec761a81a83b57cb7bdbea674c6eff4a4ab48aa52bca5b77536732fa3ecfcbaea0b177d5e5524d914e0439a81d0fd4678

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hrfpjxck.cmdline
MD5
e7df025b33200962d4ece39a7f921d08

SHA1
9be89a9cf62d89f48d959f40f8ff83886c3014cd

SHA256
1676cbbab818e95aa1841728e831a5d6e3718e829d0382dade7ed5e5afaaa940

SHA512
21093520e062b20c935147dd6e5e535f2a9459824a428b8facffbcc54a54bee1bd453f910ccd67eeed996067ac30b5cab002426e5bbe4e109f8b8ed78e1f1fae

Download Submit
memory/300-93-0x0000000000000000-mapping.dmp

Download
memory/372-55-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/460-83-0x0000000000000000-mapping.dmp

Download
memory/564-90-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/564-56-0x0000000000000000-mapping.dmp

Download
memory/920-87-0x0000000000000000-mapping.dmp

Download
memory/960-91-0x0000000000000000-mapping.dmp

Download
memory/1260-81-0x0000000000000000-mapping.dmp

Download
memory/1320-97-0x0000000000000000-mapping.dmp

Download
memory/1396-67-0x0000000000000000-mapping.dmp

Download
memory/1416-79-0x0000000000000000-mapping.dmp

Download
memory/1480-59-0x0000000000000000-mapping.dmp

Download
memory/1480-61-0x00000000020F0000-0x0000000002D3A000-memory.dmp

Filesize
12.3MB

Download
memory/1532-85-0x0000000000000000-mapping.dmp

Download
memory/1764-75-0x0000000000000000-mapping.dmp

Download
memory/1772-77-0x0000000000000000-mapping.dmp

Download
memory/1856-99-0x0000000000000000-mapping.dmp

Download
memory/1864-62-0x0000000000000000-mapping.dmp

Download
memory/1864-66-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1948-95-0x0000000000000000-mapping.dmp

Download
memory/1956-73-0x0000000000000000-mapping.dmp

Download