Overview

overview

8

Static

static

5

51bf33a62a...82.exe

windows7_x64

8

51bf33a62a...82.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51bf33a62aa0ea28abaf917f1f82da3823b2ea31e04c6d122a96f7dbde4a2182.exe

  • Size

    3.3MB

  • MD5

    095408d1abc0817739b86c3e7e4d0dfd

  • SHA1

    161d670c99c1ede6f26f97f90532236a0f4a6415

  • SHA256

    51bf33a62aa0ea28abaf917f1f82da3823b2ea31e04c6d122a96f7dbde4a2182

  • SHA512

    c6ecb1dd97007e4a8ad3793a7ea040433bfd26b049540aa989542e9f4ff83417d1f60767441ff59f1236e6208e3eca4c739961c124329fda82da84b7f0d6afdd

Score
8/10
bootkitdiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 9 IoCs
    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51bf33a62aa0ea28abaf917f1f82da3823b2ea31e04c6d122a96f7dbde4a2182.exe
    "C:\Users\Admin\AppData\Local\Temp\51bf33a62aa0ea28abaf917f1f82da3823b2ea31e04c6d122a96f7dbde4a2182.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
      "C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:1548
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:4672
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:3476
    • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
      "C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:916
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3196
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4584
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1296
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4220
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1672
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2492
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    1⤵
    • Executes dropped EXE
    PID:2784
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4504
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3332
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    1⤵
    • Executes dropped EXE
    PID:3776
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    1⤵
    • Executes dropped EXE
    PID:3988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    3c94b790a4d3d3813b9804b360811c02

    SHA1

    9b42bca99be723330c45b22abb0698f77ef8077a

    SHA256

    7bc88a561babff736195edc916e12556d4a870e9dc94e649adff7d6859468d93

    SHA512

    594410b019fde2552e456bf87934eab332c73d5a1c73c3fac27886bb2c8f2b2c174acb0fa5f67b40a4b41339cff713b239eab680c6dd7aab00aacaf8e38538b8

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_CEC273363E767B922208DE98D79F0556
    Filesize

    1KB

    MD5

    353ea810c544d9b8d2c0abc88e93a655

    SHA1

    eb960990003221fab9efcf67e46732d831f77d39

    SHA256

    25a720f1fb0b266a93f9dc30c307066f9b8dca2bb334c4f0f5e208297eacb6e7

    SHA512

    5a43748ea7e51a0719c9bee698f96b2f03660b11ac839a3b6f8f8c7cd2e69699a1df7382b64e37293c4d98fd42dd9f22e72b4d2254cc2eae2afeb5042e4e3649

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
    Filesize

    1KB

    MD5

    2a9342e928868b3aa3cb44335e149475

    SHA1

    4528e096dd8f508a3f47bc98c6fe500be94cab63

    SHA256

    81a11d126e503c3c20af7f8456b464e0396685a9605bce321e68f2beafa05529

    SHA512

    3766a4e288cbb1933ad0586603dae0a24918460d50e9ad7f92df41edb599c1489f9ba2a28b1406709277bb6a446989605a74a6d0b547e5d53686ed51767b87c0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    13a3bac60000fa5c6c6f3ddcb9808375

    SHA1

    083314ecf5cdbc666740bf51512a8fcc0f037561

    SHA256

    bb3456c31b0d6039f527967b0dbacd2662de01f2fff437f871e8338d300c3a7d

    SHA512

    30d4d6919cb069a560f3c0a031e4c3707aedebdb3501413c5424c32136daa4a2bb978641057fe1fe87b2d435681e34b16f25e02e452f257fd94018b0b2b6a1d2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_CEC273363E767B922208DE98D79F0556
    Filesize

    540B

    MD5

    fb329cf4ac524e9ccd1e95b81ea50481

    SHA1

    6dd91a68be3059faab9c537e7661fd6215c7a22f

    SHA256

    8c352b868393f9f2937275a6244c2a7b4ac4b2b96816811776db7a64c939b5e9

    SHA512

    d909e980f01c61bf5f96f466f1149af31f4b178db2fb7385b4e7032ba0bbabe15fb894668f08a7cb442b12e2e2c0e3e17e3031acf88401ec4b2fd49186672223

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
    Filesize

    492B

    MD5

    63a720ff6ee0adcb99a0d69ae0758bdc

    SHA1

    0e84906461f1a5c8eb5be54519a7714d4caa4404

    SHA256

    3956620cd675137bfc7c82475a73b43c77b98bae212d469d45ac0a5fc60b23d4

    SHA512

    49beb396ce662e8843a709955e9137d9de0417953ffefab4a89ac27ce57cb05af8cba5baeced62214c11c5c8c5f4df97b8f2b015ef3fc639968ca93e27d68660

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\a5473fd\imagestore.dat
    Filesize

    1KB

    MD5

    76b14915623b07f55ad1786c5adf1618

    SHA1

    d6cda310dd42b68930739958eb5ec9e33dd778f4

    SHA256

    ce337008545e8dc060e455eea24328215e18b6dab3f9dcf56d9d2a4cc9b750c6

    SHA512

    d5a36357b84fdca0bf7720af228d1c39fccb489e5abc0cd82f330dba1f2a1204af3990659d68c9eb9e4fccf395f43d91bc85432ab7db354ff31fd701b2d38443

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
    Filesize

    978KB

    MD5

    c19991ba8335387ae24c6cd7ef25e9d4

    SHA1

    6464ef5c79840112e56bd733b2fd6db599f46467

    SHA256

    bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

    SHA512

    f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
    Filesize

    978KB

    MD5

    c19991ba8335387ae24c6cd7ef25e9d4

    SHA1

    6464ef5c79840112e56bd733b2fd6db599f46467

    SHA256

    bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

    SHA512

    f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
    Filesize

    2.0MB

    MD5

    1c4a6c4af547084522341fd581796e7b

    SHA1

    465609a615eb247b83d011317943f30ceeb46904

    SHA256

    e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

    SHA512

    186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
    Filesize

    2.0MB

    MD5

    1c4a6c4af547084522341fd581796e7b

    SHA1

    465609a615eb247b83d011317943f30ceeb46904

    SHA256

    e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

    SHA512

    186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

    Download Submit
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    Filesize

    978KB

    MD5

    c19991ba8335387ae24c6cd7ef25e9d4

    SHA1

    6464ef5c79840112e56bd733b2fd6db599f46467

    SHA256

    bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

    SHA512

    f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    Filesize

    978KB

    MD5

    c19991ba8335387ae24c6cd7ef25e9d4

    SHA1

    6464ef5c79840112e56bd733b2fd6db599f46467

    SHA256

    bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

    SHA512

    f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    Filesize

    978KB

    MD5

    c19991ba8335387ae24c6cd7ef25e9d4

    SHA1

    6464ef5c79840112e56bd733b2fd6db599f46467

    SHA256

    bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

    SHA512

    f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
    Filesize

    978KB

    MD5

    c19991ba8335387ae24c6cd7ef25e9d4

    SHA1

    6464ef5c79840112e56bd733b2fd6db599f46467

    SHA256

    bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

    SHA512

    f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

    Download Submit
  • memory/916-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1220-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1296-146-0x0000000000000000-mapping.dmp
    Download
  • memory/1360-139-0x0000000000000000-mapping.dmp
    Download
  • memory/1548-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-148-0x0000000000000000-mapping.dmp
    Download
  • memory/2492-149-0x0000000000000000-mapping.dmp
    Download
  • memory/3196-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3476-147-0x0000000000000000-mapping.dmp
    Download
  • memory/4220-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4584-143-0x0000000000000000-mapping.dmp
    Download
  • memory/4672-144-0x0000000000000000-mapping.dmp
    Download
  • memory/4808-130-0x0000000000000000-mapping.dmp
    Download
  • memory/5040-142-0x0000000000000000-mapping.dmp
    Download