Analysis
-
max time kernel
110s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
b9bf83d695f3e0fd56b2426663cf32ee.exe
Resource
win7-en-20211208
General
-
Target
b9bf83d695f3e0fd56b2426663cf32ee.exe
-
Size
5.2MB
-
MD5
b9bf83d695f3e0fd56b2426663cf32ee
-
SHA1
a6c30924a3db06bf7a615fa2b3b9fab020077a12
-
SHA256
6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548
-
SHA512
29397577e1897dc906439ce1d464178be86dd75bfefcd1bb6cbd38234fbf01c112be112efa23aa1039aab10b2d22492c0ed69be2a61942c06b3db482a07c5885
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CHIGKB~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\CHIGKB~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\CHIGKB~1.DLL DanabotLoader2021 behavioral2/memory/2032-156-0x0000000004340000-0x00000000045B9000-memory.dmp DanabotLoader2021 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 33 916 WScript.exe 34 916 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
guffer.exekadeinvp.exechigkbgsmn.exeDpEditor.exepid process 3844 guffer.exe 4032 kadeinvp.exe 4208 chigkbgsmn.exe 4344 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
kadeinvp.exeDpEditor.exeguffer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kadeinvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kadeinvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion guffer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion guffer.exe -
Loads dropped DLL 3 IoCs
Processes:
b9bf83d695f3e0fd56b2426663cf32ee.exerundll32.exepid process 3612 b9bf83d695f3e0fd56b2426663cf32ee.exe 2032 rundll32.exe 2032 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe themida behavioral2/memory/3844-122-0x0000000000A90000-0x0000000001121000-memory.dmp themida behavioral2/memory/3844-123-0x0000000000A90000-0x0000000001121000-memory.dmp themida behavioral2/memory/4032-124-0x0000000000F50000-0x0000000001618000-memory.dmp themida behavioral2/memory/4032-126-0x0000000000F50000-0x0000000001618000-memory.dmp themida behavioral2/memory/4032-128-0x0000000000F50000-0x0000000001618000-memory.dmp themida behavioral2/memory/4032-129-0x0000000000F50000-0x0000000001618000-memory.dmp themida behavioral2/memory/3844-130-0x0000000000A90000-0x0000000001121000-memory.dmp themida behavioral2/memory/3844-131-0x0000000000A90000-0x0000000001121000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/4344-140-0x0000000000C30000-0x00000000012C1000-memory.dmp themida behavioral2/memory/4344-141-0x0000000000C30000-0x00000000012C1000-memory.dmp themida behavioral2/memory/4344-142-0x0000000000C30000-0x00000000012C1000-memory.dmp themida behavioral2/memory/4344-143-0x0000000000C30000-0x00000000012C1000-memory.dmp themida -
Processes:
guffer.exekadeinvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA guffer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kadeinvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
guffer.exekadeinvp.exeDpEditor.exepid process 3844 guffer.exe 4032 kadeinvp.exe 4344 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
b9bf83d695f3e0fd56b2426663cf32ee.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll b9bf83d695f3e0fd56b2426663cf32ee.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll b9bf83d695f3e0fd56b2426663cf32ee.exe File created C:\Program Files (x86)\foler\olader\acledit.dll b9bf83d695f3e0fd56b2426663cf32ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kadeinvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kadeinvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kadeinvp.exe -
Modifies registry class 1 IoCs
Processes:
kadeinvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings kadeinvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4344 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
guffer.exekadeinvp.exeDpEditor.exepid process 3844 guffer.exe 3844 guffer.exe 4032 kadeinvp.exe 4032 kadeinvp.exe 4344 DpEditor.exe 4344 DpEditor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
b9bf83d695f3e0fd56b2426663cf32ee.exekadeinvp.exeguffer.exechigkbgsmn.exedescription pid process target process PID 3612 wrote to memory of 3844 3612 b9bf83d695f3e0fd56b2426663cf32ee.exe guffer.exe PID 3612 wrote to memory of 3844 3612 b9bf83d695f3e0fd56b2426663cf32ee.exe guffer.exe PID 3612 wrote to memory of 3844 3612 b9bf83d695f3e0fd56b2426663cf32ee.exe guffer.exe PID 3612 wrote to memory of 4032 3612 b9bf83d695f3e0fd56b2426663cf32ee.exe kadeinvp.exe PID 3612 wrote to memory of 4032 3612 b9bf83d695f3e0fd56b2426663cf32ee.exe kadeinvp.exe PID 3612 wrote to memory of 4032 3612 b9bf83d695f3e0fd56b2426663cf32ee.exe kadeinvp.exe PID 4032 wrote to memory of 4208 4032 kadeinvp.exe chigkbgsmn.exe PID 4032 wrote to memory of 4208 4032 kadeinvp.exe chigkbgsmn.exe PID 4032 wrote to memory of 4208 4032 kadeinvp.exe chigkbgsmn.exe PID 4032 wrote to memory of 4368 4032 kadeinvp.exe WScript.exe PID 4032 wrote to memory of 4368 4032 kadeinvp.exe WScript.exe PID 4032 wrote to memory of 4368 4032 kadeinvp.exe WScript.exe PID 3844 wrote to memory of 4344 3844 guffer.exe DpEditor.exe PID 3844 wrote to memory of 4344 3844 guffer.exe DpEditor.exe PID 3844 wrote to memory of 4344 3844 guffer.exe DpEditor.exe PID 4032 wrote to memory of 916 4032 kadeinvp.exe WScript.exe PID 4032 wrote to memory of 916 4032 kadeinvp.exe WScript.exe PID 4032 wrote to memory of 916 4032 kadeinvp.exe WScript.exe PID 4208 wrote to memory of 2032 4208 chigkbgsmn.exe rundll32.exe PID 4208 wrote to memory of 2032 4208 chigkbgsmn.exe rundll32.exe PID 4208 wrote to memory of 2032 4208 chigkbgsmn.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9bf83d695f3e0fd56b2426663cf32ee.exe"C:\Users\Admin\AppData\Local\Temp\b9bf83d695f3e0fd56b2426663cf32ee.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe"C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe"C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chigkbgsmn.exe"C:\Users\Admin\AppData\Local\Temp\chigkbgsmn.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CHIGKB~1.DLL,s C:\Users\Admin\AppData\Local\Temp\CHIGKB~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaqvjreig.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pkhfuyj.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
136a3a86fefd771c182b3f28c6ad0362
SHA15d1f54c6a5d58ea1aaf10973cd1ccaa53a81e1dc
SHA256a147596f74bb2813912a843d21e0af1a13b2e9787e9af5fb2726510cef72d540
SHA51287f5ebbf0c68f217a7d93924cd2fd2b0c448a3455f0779c18a82e50f7166d8a294ff1de85712401a8f59adad2bb09cad5f75f2095dc89282ea586df47b19894b
-
C:\Users\Admin\AppData\Local\Temp\CHIGKB~1.DLLMD5
6263a97e82c43589b4184273825b61d4
SHA152925e51465de033869fc4b18792a592bc4e0fc8
SHA256b885a7a6c7ac1bad2bed72f8a7b0da0a69775230d4b44f674788d979b7eb9dd5
SHA512304d3861edbffe9e0e3a5cfb2e784eb945efe0ffbe5c938f9dc77a2313a6a1a1e213984bb600d216fc66a63854c2c98b6a6a880ba09b3bb12a4e41a747d3082c
-
C:\Users\Admin\AppData\Local\Temp\aaqvjreig.vbsMD5
012e15826b454c168604b2d7c17cb755
SHA19e8d699ec0199883dee1b532c95751e97b8f271c
SHA2568dba96f9da23ac5916368ff75ee660c3cd5818ac94ed40bc5cba404e47ccaa2d
SHA5122badaa080b4daf34007324f76255ef84e559cf03376a54a09009eb6da3681a4b322c549172844e0ae30a3fd2f27752ddfcd1e116cab00f4916eeda9ed27d2dcf
-
C:\Users\Admin\AppData\Local\Temp\chigkbgsmn.exeMD5
c5f2eec63e5cb7a8ff9e6264eff99d2b
SHA166547ce0183a5513ec07c2d550d4d0a3d0b28ec9
SHA2568dec8b9e7f26917a548bbacefb418ba99499f8c2ef3f4bc8074b077a21447e77
SHA512b78562ffe5b0afdc5aa2c7a1dc22886e3072be6614eb77bb86912d7cf6cb74b7042835c2cb70517caa8a91758d065f581edcceb6dbba2e39880beacb6d0172e5
-
C:\Users\Admin\AppData\Local\Temp\chigkbgsmn.exeMD5
c5f2eec63e5cb7a8ff9e6264eff99d2b
SHA166547ce0183a5513ec07c2d550d4d0a3d0b28ec9
SHA2568dec8b9e7f26917a548bbacefb418ba99499f8c2ef3f4bc8074b077a21447e77
SHA512b78562ffe5b0afdc5aa2c7a1dc22886e3072be6614eb77bb86912d7cf6cb74b7042835c2cb70517caa8a91758d065f581edcceb6dbba2e39880beacb6d0172e5
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exeMD5
1b7b336a66fc7977a919aa61cbd9bd7f
SHA191b31bfb4a5f59ae94fc399a839a74ed7c5acdbc
SHA2562bff85dab968f5c5ff26c9d8a807b696eabe9e22abe42d475acfdd93ad68bf4b
SHA51227877728ce2ef4cb3b3dae014dacf3ba1604eb8cbebe9e5b28eb6bbe23dd5375866ef062b4e6cb7ab12edcd5ea2ce34b8ad5093aa659f84c68dc93710c1d71a7
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exeMD5
1b7b336a66fc7977a919aa61cbd9bd7f
SHA191b31bfb4a5f59ae94fc399a839a74ed7c5acdbc
SHA2562bff85dab968f5c5ff26c9d8a807b696eabe9e22abe42d475acfdd93ad68bf4b
SHA51227877728ce2ef4cb3b3dae014dacf3ba1604eb8cbebe9e5b28eb6bbe23dd5375866ef062b4e6cb7ab12edcd5ea2ce34b8ad5093aa659f84c68dc93710c1d71a7
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exeMD5
2c4e52fe62ac5afb2a24336305345494
SHA1f1d64b2983733a3d94206b208f3a0e7a3b948ef7
SHA2564f391986aa04d1ed0d6577f4b9f2c06558c4fad6ed183b49761a6aa410b09bae
SHA51290b1ecae6f97dd79016900c428932710c0e7612416c1f20ee8d9eb264cce62d580042036f8d8cfb74fcfbf5e5976ed05d9f31edb4618491afcce7569832c4cf4
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exeMD5
2c4e52fe62ac5afb2a24336305345494
SHA1f1d64b2983733a3d94206b208f3a0e7a3b948ef7
SHA2564f391986aa04d1ed0d6577f4b9f2c06558c4fad6ed183b49761a6aa410b09bae
SHA51290b1ecae6f97dd79016900c428932710c0e7612416c1f20ee8d9eb264cce62d580042036f8d8cfb74fcfbf5e5976ed05d9f31edb4618491afcce7569832c4cf4
-
C:\Users\Admin\AppData\Local\Temp\pkhfuyj.vbsMD5
3c32e0ef23082bbcdaacf524a0a1a582
SHA1b16a4a5ca219897fe759a1ab6a2fa2f495ce4f58
SHA256e52551dc93c9deb88873c86698f3b42aa78e37ff9477d56b0c22b6b04c489fdf
SHA512ec9beb7e7ba1e5a84f6029870bab4b3dbec037e23001f35736c8627d3224c57009f7a7408a22ac1a6ec491ce96b9f206ebcc08f9f179d667c1d02715adc28e19
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1b7b336a66fc7977a919aa61cbd9bd7f
SHA191b31bfb4a5f59ae94fc399a839a74ed7c5acdbc
SHA2562bff85dab968f5c5ff26c9d8a807b696eabe9e22abe42d475acfdd93ad68bf4b
SHA51227877728ce2ef4cb3b3dae014dacf3ba1604eb8cbebe9e5b28eb6bbe23dd5375866ef062b4e6cb7ab12edcd5ea2ce34b8ad5093aa659f84c68dc93710c1d71a7
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1b7b336a66fc7977a919aa61cbd9bd7f
SHA191b31bfb4a5f59ae94fc399a839a74ed7c5acdbc
SHA2562bff85dab968f5c5ff26c9d8a807b696eabe9e22abe42d475acfdd93ad68bf4b
SHA51227877728ce2ef4cb3b3dae014dacf3ba1604eb8cbebe9e5b28eb6bbe23dd5375866ef062b4e6cb7ab12edcd5ea2ce34b8ad5093aa659f84c68dc93710c1d71a7
-
\Users\Admin\AppData\Local\Temp\CHIGKB~1.DLLMD5
6263a97e82c43589b4184273825b61d4
SHA152925e51465de033869fc4b18792a592bc4e0fc8
SHA256b885a7a6c7ac1bad2bed72f8a7b0da0a69775230d4b44f674788d979b7eb9dd5
SHA512304d3861edbffe9e0e3a5cfb2e784eb945efe0ffbe5c938f9dc77a2313a6a1a1e213984bb600d216fc66a63854c2c98b6a6a880ba09b3bb12a4e41a747d3082c
-
\Users\Admin\AppData\Local\Temp\CHIGKB~1.DLLMD5
6263a97e82c43589b4184273825b61d4
SHA152925e51465de033869fc4b18792a592bc4e0fc8
SHA256b885a7a6c7ac1bad2bed72f8a7b0da0a69775230d4b44f674788d979b7eb9dd5
SHA512304d3861edbffe9e0e3a5cfb2e784eb945efe0ffbe5c938f9dc77a2313a6a1a1e213984bb600d216fc66a63854c2c98b6a6a880ba09b3bb12a4e41a747d3082c
-
\Users\Admin\AppData\Local\Temp\nsp9CDE.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/916-148-0x0000000000000000-mapping.dmp
-
memory/2032-152-0x0000000000000000-mapping.dmp
-
memory/2032-156-0x0000000004340000-0x00000000045B9000-memory.dmpFilesize
2.5MB
-
memory/3844-122-0x0000000000A90000-0x0000000001121000-memory.dmpFilesize
6.6MB
-
memory/3844-131-0x0000000000A90000-0x0000000001121000-memory.dmpFilesize
6.6MB
-
memory/3844-130-0x0000000000A90000-0x0000000001121000-memory.dmpFilesize
6.6MB
-
memory/3844-125-0x0000000077BC0000-0x0000000077D4E000-memory.dmpFilesize
1.6MB
-
memory/3844-123-0x0000000000A90000-0x0000000001121000-memory.dmpFilesize
6.6MB
-
memory/3844-116-0x0000000000000000-mapping.dmp
-
memory/4032-129-0x0000000000F50000-0x0000000001618000-memory.dmpFilesize
6.8MB
-
memory/4032-128-0x0000000000F50000-0x0000000001618000-memory.dmpFilesize
6.8MB
-
memory/4032-126-0x0000000000F50000-0x0000000001618000-memory.dmpFilesize
6.8MB
-
memory/4032-127-0x0000000077BC0000-0x0000000077D4E000-memory.dmpFilesize
1.6MB
-
memory/4032-124-0x0000000000F50000-0x0000000001618000-memory.dmpFilesize
6.8MB
-
memory/4032-119-0x0000000000000000-mapping.dmp
-
memory/4208-145-0x00000000011A0000-0x0000000001343000-memory.dmpFilesize
1.6MB
-
memory/4208-147-0x0000000000400000-0x0000000000997000-memory.dmpFilesize
5.6MB
-
memory/4208-144-0x0000000001010000-0x000000000119D000-memory.dmpFilesize
1.6MB
-
memory/4208-132-0x0000000000000000-mapping.dmp
-
memory/4344-146-0x0000000077BC0000-0x0000000077D4E000-memory.dmpFilesize
1.6MB
-
memory/4344-143-0x0000000000C30000-0x00000000012C1000-memory.dmpFilesize
6.6MB
-
memory/4344-142-0x0000000000C30000-0x00000000012C1000-memory.dmpFilesize
6.6MB
-
memory/4344-141-0x0000000000C30000-0x00000000012C1000-memory.dmpFilesize
6.6MB
-
memory/4344-140-0x0000000000C30000-0x00000000012C1000-memory.dmpFilesize
6.6MB
-
memory/4344-137-0x0000000000000000-mapping.dmp
-
memory/4368-135-0x0000000000000000-mapping.dmp