Overview

overview

10

Static

static

af54403904...5c.rtf

windows7-x64

10

af54403904...5c.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    167s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af54403904ac8e687184e57ff1fddf97a7b9ce196895a7da5262b90d47da915c.rtf

  • Size

    734KB

  • MD5

    7969150b6ec8e1ab8a542d50c985e489

  • SHA1

    8f8ab77541b644396b50b447384f6a213b71f353

  • SHA256

    af54403904ac8e687184e57ff1fddf97a7b9ce196895a7da5262b90d47da915c

  • SHA512

    2cfdecde59f68b5ba3f6ce4b19d129853663da850aface5bdea4572a3686f71877c3f83b566818b17e02fa211b5cd3ff674e22b161cea4427cf862708095f30a

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • NTFS ADS 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1176
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1212
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\af54403904ac8e687184e57ff1fddf97a7b9ce196895a7da5262b90d47da915c.rtf"
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:880
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\SysWOW64\cMd.exe
          cMd /k %tEmP%\dqfm.cmd ? aaaa c
          2⤵
          • NTFS ADS
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\hondi.cmD
            3⤵
            • Loads dropped DLL
            • NTFS ADS
            • Suspicious use of WriteProcessMemory
            PID:820
            • C:\Windows\SysWOW64\timeout.exe
              TIMEOUT 1
              4⤵
              • Delays execution with timeout.exe
              PID:1636
            • C:\Users\Admin\AppData\Local\Temp\mondi.exe
              C:\Users\Admin\AppData\Local\Temp\mondi.eXe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Users\Admin\AppData\Local\Temp\mondi.eXe
                C:\Users\Admin\AppData\Local\Temp\mondi.eXe
                5⤵
                • Executes dropped EXE
                • Sets file execution options in registry
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:1576
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  6⤵
                  • Modifies firewall policy service
                  • Sets file execution options in registry
                  • Checks BIOS information in registry
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Modifies Internet Explorer Protected Mode
                  • Modifies Internet Explorer Protected Mode Banner
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1280
            • C:\Windows\SysWOW64\taskkill.exe
              TASkKILL /F /IM winword.exe
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1064
            • C:\Windows\SysWOW64\reg.exe
              reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
              4⤵
                PID:1204
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1828
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                  5⤵
                    PID:860
                • C:\Windows\SysWOW64\reg.exe
                  reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
                  4⤵
                    PID:1564
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1308
                    • C:\Windows\SysWOW64\reg.exe
                      REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                      5⤵
                        PID:976
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
                      4⤵
                        PID:2012
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1720
                        • C:\Windows\SysWOW64\reg.exe
                          REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
                          5⤵
                            PID:1388
                        • C:\Windows\SysWOW64\reg.exe
                          reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
                          4⤵
                            PID:1364
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                            4⤵
                              PID:1560
                              • C:\Windows\SysWOW64\reg.exe
                                REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                                5⤵
                                  PID:1588
                              • C:\Windows\SysWOW64\reg.exe
                                reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
                                4⤵
                                  PID:1148
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                  4⤵
                                    PID:1260
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                      5⤵
                                        PID:1944
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
                                      4⤵
                                        PID:1332
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                        4⤵
                                          PID:1940
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                            5⤵
                                              PID:944
                                    • C:\Windows\system32\conhost.exe
                                      \??\C:\Windows\system32\conhost.exe "1732263797-6638808458929582021652744417-173354088279944325-1244931433-753085934"
                                      1⤵
                                        PID:1428

                                      Network

                                      MITRE ATT&CK Matrix ATT&CK v6

                                      Initial Access

                                      Execution

                                      Exploitation for Client Execution

                                      1
                                      T1203

                                      Persistence

                                      Modify Existing Service

                                      1
                                      T1031

                                      Registry Run Keys / Startup Folder

                                      2
                                      T1060

                                      Privilege Escalation

                                      Defense Evasion

                                      Modify Registry

                                      6
                                      T1112

                                      Credential Access

                                      Discovery

                                      Query Registry

                                      3
                                      T1012

                                      System Information Discovery

                                      5
                                      T1082

                                      Lateral Movement

                                      Collection

                                      Exfiltration

                                      Command and Control

                                      Impact

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\dqfm.cmd
                                        Filesize

                                        186B

                                        MD5

                                        29324996d120283c617a7a142b5ba980

                                        SHA1

                                        43aa940b29713a6e75f30a6b614352c3bba24d6c

                                        SHA256

                                        2ab6f8f8b4f358a0f821de0710c3227dcbd1a3fa31172fda39ab44052a6cf021

                                        SHA512

                                        21c4d36887c72d01f9d2913c61e9d443169351a1c97b81a503712f0a224d50484100493dc971121ab71343b372440c0633fb062bb4930d1e6f53d455c9352b48

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\gondi.doc:Zone.Identifier
                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\hondi.cmd:Zone.Identifier
                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier
                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\mondi.exe
                                        Filesize

                                        328KB

                                        MD5

                                        b7cd27ba473567e1427a2ec3636eb6f4

                                        SHA1

                                        843a1f646dd66e959897d3bdd15bd5259a38ecb3

                                        SHA256

                                        dd1c349f15f51a9e2d77fcfaa223a1e34833903747884d74b0cbe1a8fdd88ea6

                                        SHA512

                                        62e8cc91ed63f8fca4dea3bf2d24a3aa41e68065d48f122c15677fdfb98dcd51a0524a6a7453348ac82531db80d057e5e78904827297618b2669f09009dc3332

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\mondi.exe
                                        Filesize

                                        328KB

                                        MD5

                                        b7cd27ba473567e1427a2ec3636eb6f4

                                        SHA1

                                        843a1f646dd66e959897d3bdd15bd5259a38ecb3

                                        SHA256

                                        dd1c349f15f51a9e2d77fcfaa223a1e34833903747884d74b0cbe1a8fdd88ea6

                                        SHA512

                                        62e8cc91ed63f8fca4dea3bf2d24a3aa41e68065d48f122c15677fdfb98dcd51a0524a6a7453348ac82531db80d057e5e78904827297618b2669f09009dc3332

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\aisles.dll
                                        Filesize

                                        12KB

                                        MD5

                                        2bca48f9681de2a01180e3e3a4170238

                                        SHA1

                                        e097d8f8c9c51c777e7e1f720624ca9a0961b821

                                        SHA256

                                        5f2d209fb93640bf6c81cbddaa00d1c2e120228e7fa34161ad2786e3f0f8b1cb

                                        SHA512

                                        5860b0d09cb0393efb8ea11d34de4a78a24adcb779c516ff7657cf44e5c54fbaeb343c9d005275d5915733ac149981cdc2af2f7d3f5db5d51cbd953cae073165

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\mondi.exe
                                        Filesize

                                        328KB

                                        MD5

                                        b7cd27ba473567e1427a2ec3636eb6f4

                                        SHA1

                                        843a1f646dd66e959897d3bdd15bd5259a38ecb3

                                        SHA256

                                        dd1c349f15f51a9e2d77fcfaa223a1e34833903747884d74b0cbe1a8fdd88ea6

                                        SHA512

                                        62e8cc91ed63f8fca4dea3bf2d24a3aa41e68065d48f122c15677fdfb98dcd51a0524a6a7453348ac82531db80d057e5e78904827297618b2669f09009dc3332

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\mondi.exe
                                        Filesize

                                        328KB

                                        MD5

                                        b7cd27ba473567e1427a2ec3636eb6f4

                                        SHA1

                                        843a1f646dd66e959897d3bdd15bd5259a38ecb3

                                        SHA256

                                        dd1c349f15f51a9e2d77fcfaa223a1e34833903747884d74b0cbe1a8fdd88ea6

                                        SHA512

                                        62e8cc91ed63f8fca4dea3bf2d24a3aa41e68065d48f122c15677fdfb98dcd51a0524a6a7453348ac82531db80d057e5e78904827297618b2669f09009dc3332

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\nsjC380.tmp\System.dll
                                        Filesize

                                        11KB

                                        MD5

                                        b0c77267f13b2f87c084fd86ef51ccfc

                                        SHA1

                                        f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

                                        SHA256

                                        a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

                                        SHA512

                                        f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

                                        Download Submit
                                      • memory/820-63-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/860-96-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/880-55-0x000000006FE81000-0x000000006FE83000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/880-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
                                        Filesize

                                        64KB

                                        Download
                                      • memory/880-54-0x0000000072401000-0x0000000072404000-memory.dmp
                                        Filesize

                                        12KB

                                        Download
                                      • memory/880-57-0x0000000075831000-0x0000000075833000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/880-58-0x0000000070E6D000-0x0000000070E78000-memory.dmp
                                        Filesize

                                        44KB

                                        Download
                                      • memory/880-93-0x0000000070E6D000-0x0000000070E78000-memory.dmp
                                        Filesize

                                        44KB

                                        Download
                                      • memory/944-111-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/976-99-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1064-71-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1148-106-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1204-94-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1212-124-0x00000000029E0000-0x00000000029E6000-memory.dmp
                                        Filesize

                                        24KB

                                        Download
                                      • memory/1260-107-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1280-117-0x0000000077270000-0x00000000773F0000-memory.dmp
                                        Filesize

                                        1.5MB

                                        Download
                                      • memory/1280-114-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1280-123-0x0000000000090000-0x000000000014C000-memory.dmp
                                        Filesize

                                        752KB

                                        Download
                                      • memory/1280-122-0x0000000077270000-0x00000000773F0000-memory.dmp
                                        Filesize

                                        1.5MB

                                        Download
                                      • memory/1280-119-0x0000000000410000-0x000000000041C000-memory.dmp
                                        Filesize

                                        48KB

                                        Download
                                      • memory/1280-118-0x0000000000090000-0x000000000014C000-memory.dmp
                                        Filesize

                                        752KB

                                        Download
                                      • memory/1280-116-0x0000000074961000-0x0000000074963000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/1308-98-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1332-109-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1364-103-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1388-102-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1404-60-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1560-104-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1564-97-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1576-113-0x0000000001FA0000-0x0000000001FAC000-memory.dmp
                                        Filesize

                                        48KB

                                        Download
                                      • memory/1576-91-0x0000000000440000-0x00000000004A6000-memory.dmp
                                        Filesize

                                        408KB

                                        Download
                                      • memory/1576-82-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-77-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-75-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-83-0x00000000004015C6-mapping.dmp
                                        Download
                                      • memory/1576-76-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-86-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-121-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-120-0x0000000000440000-0x00000000004A6000-memory.dmp
                                        Filesize

                                        408KB

                                        Download
                                      • memory/1576-87-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-90-0x0000000000440000-0x00000000004A6000-memory.dmp
                                        Filesize

                                        408KB

                                        Download
                                      • memory/1576-112-0x0000000000250000-0x000000000025D000-memory.dmp
                                        Filesize

                                        52KB

                                        Download
                                      • memory/1576-81-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-79-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1576-80-0x0000000000400000-0x0000000000435000-memory.dmp
                                        Filesize

                                        212KB

                                        Download
                                      • memory/1588-105-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1636-64-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1648-68-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1720-101-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1828-95-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1940-110-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1944-108-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2012-100-0x0000000000000000-mapping.dmp
                                        Download