Overview

overview

10

Static

static

Takeaway.exe

windows7-x64

10

Takeaway.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2022 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Takeaway.exe

  • Size

    380KB

  • MD5

    a1ef511c6b47307948465fe6e1af6997

  • SHA1

    103f8cc1af6581b4be3f606fd86940d632a450d1

  • SHA256

    dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584

  • SHA512

    8cc28fc5e1e3e000e977f2f55fa9cf938dd29346e656d013c9ac126572d6eab469b3c3cac9d83683e37c3a220d1a12b22abb0d388483eab07a3ed92965be6821

  • SSDEEP

    6144:QsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3p0Ov6Po5/RrVqB8hgh6mTi:NxmIJQvPkitEqZR3p0u6+URTi

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email GetDecoding@zimbabwe.su YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: getdecoding@msgsafe.io Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

GetDecoding@zimbabwe.su

getdecoding@msgsafe.io

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Takeaway.exe
    "C:\Users\Admin\AppData\Local\Temp\Takeaway.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ikqoqosy.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E32.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4E21.tmp"
          4⤵
            PID:904
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File purgeMemory.ps1
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Windows\SysWOW64\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all
            4⤵
            • Interacts with shadow copies
            PID:1956
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1280
        • C:\Users\Admin\AppData\Local\Temp\NS2.exe
          "C:\Users\Admin\AppData\Local\Temp\NS2.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:284
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            4⤵
              PID:1536
          • C:\Users\Admin\AppData\Local\Temp\winhost.exe
            "C:\Users\Admin\AppData\Local\Temp\winhost.exe"
            3⤵
            • Executes dropped EXE
            • Modifies extensions of user files
            • Deletes itself
            • Drops startup file
            • Adds Run key to start application
            • Drops desktop.ini file(s)
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1944
              • C:\Windows\system32\mode.com
                mode con cp select=1251
                5⤵
                  PID:1780
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:1948
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1988
                • C:\Windows\system32\mode.com
                  mode con cp select=1251
                  5⤵
                    PID:1636
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:1388
                • C:\Windows\System32\mshta.exe
                  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                  4⤵
                  • Modifies Internet Explorer settings
                  PID:688
                • C:\Windows\System32\mshta.exe
                  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                  4⤵
                  • Modifies Internet Explorer settings
                  PID:1936
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
            1⤵
              PID:1428
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:940

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            File Deletion

            2
            T1107

            Modify Registry

            2
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            2
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
              Filesize

              7KB

              MD5

              4686c2796b69ec9b1cb36ded2b53dc6e

              SHA1

              33f8bc3ac98bb2579d7e4b5e1967ac2ad4e5bd95

              SHA256

              692b414708a7e26858b7bfe867a2de5c4fdf7a9c0eb2924cc7a93c0c37e8a4d2

              SHA512

              cd1ffa9055f7e13c2942a494d90014c5e8f20b51ecce9952fed7433b32e317cc9eea951ca8026a0a4bbf6b57bffc7b33f9fde76e21f643e79d8f8c025e984092

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\NS2.exe
              Filesize

              125KB

              MD5

              597de376b1f80c06d501415dd973dcec

              SHA1

              629c9649ced38fd815124221b80c9d9c59a85e74

              SHA256

              f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

              SHA512

              072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\NS2.exe
              Filesize

              125KB

              MD5

              597de376b1f80c06d501415dd973dcec

              SHA1

              629c9649ced38fd815124221b80c9d9c59a85e74

              SHA256

              f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

              SHA512

              072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RES4E32.tmp
              Filesize

              1KB

              MD5

              e0279d35563648ab6d2ec67f77e51444

              SHA1

              1ee76363f60249bace03ddec3dbb626c788f9e3d

              SHA256

              07631ee8aa84c969ceaf625a57709ebaf10e624530c379fdf9968471facbd0b6

              SHA512

              63a91825823f9404818c286c16720f91a4bdb4ce6b3cfee9a22b2ac6e0a158e1f742fa81f15a4ac81d25a8983c59a7fa41e3b4b15001d918c1eafaa92ed6cd9d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ikqoqosy.dll
              Filesize

              3KB

              MD5

              620e25f6587c20eea8487651039a6f70

              SHA1

              b23c9fb64a847976d9fdeafc18c2ea95a5bdcbcb

              SHA256

              828d55775a153df070bc6cc50cbc176e7711bb850d651678f357133e97c921ea

              SHA512

              d9f295792e7b1ae3579cd865a731e0c55ce64225f379d0bc46cd0f3a6019444a72137067ba9b938c0bf4d196cfd36e310dee1a5a7a040e00e82016f572bd54f4

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ikqoqosy.pdb
              Filesize

              7KB

              MD5

              9a0e6715ff4eb091ffac33f166932504

              SHA1

              d2df5dbe1152e19d15179810ccf6370e3cf70886

              SHA256

              74e8efbb74eb6469f1486c1bdd5c7640cd5b5041e7d53aae4493132f2f180b83

              SHA512

              bb0397e55480c0038a6bdb6f3e5d12ef3c561ce54f6319ac7d9f3dc26f202895db04964ba397b25b48e5b2dd20313519eb9c7c024512b42e074faa0fab340279

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\purgeMemory.ps1
              Filesize

              8KB

              MD5

              31e22820cba11f6c7670854ed65f09ed

              SHA1

              9ab447c539234e75b56b3e180f3541580ffa0cea

              SHA256

              6a808299703119635c68fcadb14b7301775b49eb5948aeb319b6728f1686f035

              SHA512

              fbc97b21f9627687070edf9727f68062e8d5d71447497a0a0bd63bbe2ea3b0e753849226cb4cd9688f838e103e348dc070dc8360937e2662ff23291c4b2910fe

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\takeaway.ps1
              Filesize

              3KB

              MD5

              08c0963ddf483e5c233026380de1b6d0

              SHA1

              1e3a06d038a48c76a6ad0c400cf145109e7179b7

              SHA256

              488590a74e0ab3e1a8942146d3b0f1ce1c0a0841fede177406635bb68cc7ba59

              SHA512

              a73d58c5881468d504dc67b6ff1830d2147394717ef3ed8dd8489ae060d1d3a12eac7c500d7d5f0f915e6497a19f43c08ada089f5b9855f34a99898fc772317f

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\winhost.exe
              Filesize

              92KB

              MD5

              c24f6144e905b717a372c529d969611e

              SHA1

              0a297e9e5c807c06ad10f4f746f4f9e256df6743

              SHA256

              94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

              SHA512

              f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\winhost.exe
              Filesize

              92KB

              MD5

              c24f6144e905b717a372c529d969611e

              SHA1

              0a297e9e5c807c06ad10f4f746f4f9e256df6743

              SHA256

              94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

              SHA512

              f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              a704158a5b512c949effb9575de6db33

              SHA1

              e5679e7bef17211911823a199f73d655b94fea2c

              SHA256

              0dde3aa2fbc9500bc3acc2133e2bffc8875431782ea15b0be536f4b2c2340a52

              SHA512

              525bb74701aaeb876a74998dbad422f5cf299a70fd08b09458a2a4d714ab05806ed9be918b67ed0783724ee6bc67d90048f2f7a945b1a0e1b1b80a321ccfdde6

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              a704158a5b512c949effb9575de6db33

              SHA1

              e5679e7bef17211911823a199f73d655b94fea2c

              SHA256

              0dde3aa2fbc9500bc3acc2133e2bffc8875431782ea15b0be536f4b2c2340a52

              SHA512

              525bb74701aaeb876a74998dbad422f5cf299a70fd08b09458a2a4d714ab05806ed9be918b67ed0783724ee6bc67d90048f2f7a945b1a0e1b1b80a321ccfdde6

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
              Filesize

              7KB

              MD5

              4686c2796b69ec9b1cb36ded2b53dc6e

              SHA1

              33f8bc3ac98bb2579d7e4b5e1967ac2ad4e5bd95

              SHA256

              692b414708a7e26858b7bfe867a2de5c4fdf7a9c0eb2924cc7a93c0c37e8a4d2

              SHA512

              cd1ffa9055f7e13c2942a494d90014c5e8f20b51ecce9952fed7433b32e317cc9eea951ca8026a0a4bbf6b57bffc7b33f9fde76e21f643e79d8f8c025e984092

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\CSC4E21.tmp
              Filesize

              652B

              MD5

              c4c75fcb0a80c59e2e715da2a3543a2b

              SHA1

              8d2234467d5376e0c93d88545c3fa6f7c9eb5b3a

              SHA256

              b1b4dc15a8c68b5a82fa6c98acb553809b76aff0b57ea0a67dc53efe1b37f395

              SHA512

              ee8bcf5482baf0b9b681693b4054640e9cd1e5eaf50cbd50f89556ece864575ca43107f19a01992672e4ec4594cd17c37f62bf3eae6ee5e5270d3be2d008a0d7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\ikqoqosy.0.cs
              Filesize

              308B

              MD5

              9c478287d8b4ad6cd34ac20bdac9577c

              SHA1

              73965974950d1be20682abc2f716e5070f2c7097

              SHA256

              8bb1e373d78c7c750ac20b5b0ec3dfcd1e8e74ca8d6accde1e02aa2c205c776f

              SHA512

              b0c435e194b5a72c50ddccf2bc84d178e5e1872f4ed3f630a661d187f77f4eb095a08303e4d243c45384a84b717fd2d5c76c5c4274cade5ad1a09dcdcd4ca6a2

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\ikqoqosy.cmdline
              Filesize

              309B

              MD5

              c971081d16680aa9c7afd7ccde52c206

              SHA1

              fc59f1e2de68a1c1214ec124302988c24f1e28ce

              SHA256

              1ed6d1359ef267ca07c0e2ef3ca7fc78aead91d2efaf95ddd98238415e31749d

              SHA512

              8b5b4f16a012d227ccab024d76a158b5f94e479796858a7c6a99ce35c3a4950c3c6c70f81da3d76acdc67db662dd93c1277e618410c5af5bf3381a5816b2b17c

              Download Submit
            • \Users\Admin\AppData\Local\Temp\NS2.exe
              Filesize

              125KB

              MD5

              597de376b1f80c06d501415dd973dcec

              SHA1

              629c9649ced38fd815124221b80c9d9c59a85e74

              SHA256

              f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

              SHA512

              072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

              Download Submit
            • \Users\Admin\AppData\Local\Temp\NS2.exe
              Filesize

              125KB

              MD5

              597de376b1f80c06d501415dd973dcec

              SHA1

              629c9649ced38fd815124221b80c9d9c59a85e74

              SHA256

              f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

              SHA512

              072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

              Download Submit
            • \Users\Admin\AppData\Local\Temp\winhost.exe
              Filesize

              92KB

              MD5

              c24f6144e905b717a372c529d969611e

              SHA1

              0a297e9e5c807c06ad10f4f746f4f9e256df6743

              SHA256

              94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

              SHA512

              f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

              Download Submit
            • \Users\Admin\AppData\Local\Temp\winhost.exe
              Filesize

              92KB

              MD5

              c24f6144e905b717a372c529d969611e

              SHA1

              0a297e9e5c807c06ad10f4f746f4f9e256df6743

              SHA256

              94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

              SHA512

              f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

              Download Submit
            • memory/268-59-0x0000000000000000-mapping.dmp
              Download
            • memory/284-73-0x0000000000000000-mapping.dmp
              Download
            • memory/688-99-0x0000000000000000-mapping.dmp
              Download
            • memory/816-78-0x0000000074830000-0x0000000074DDB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/816-67-0x0000000000000000-mapping.dmp
              Download
            • memory/816-96-0x0000000074830000-0x0000000074DDB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/816-93-0x00000000024D0000-0x000000000311A000-memory.dmp
              Filesize

              12.3MB

              Download
            • memory/816-89-0x0000000074830000-0x0000000074DDB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/900-54-0x0000000075C61000-0x0000000075C63000-memory.dmp
              Filesize

              8KB

              Download
            • memory/904-62-0x0000000000000000-mapping.dmp
              Download
            • memory/1040-57-0x0000000074830000-0x0000000074DDB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1040-55-0x0000000000000000-mapping.dmp
              Download
            • memory/1040-88-0x0000000074830000-0x0000000074DDB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1280-90-0x0000000000000000-mapping.dmp
              Download
            • memory/1280-94-0x0000000074830000-0x0000000074DDB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1280-95-0x0000000074830000-0x0000000074DDB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1388-102-0x0000000000000000-mapping.dmp
              Download
            • memory/1536-86-0x0000000000000000-mapping.dmp
              Download
            • memory/1636-101-0x0000000000000000-mapping.dmp
              Download
            • memory/1780-84-0x0000000000000000-mapping.dmp
              Download
            • memory/1856-80-0x0000000000000000-mapping.dmp
              Download
            • memory/1936-100-0x0000000000000000-mapping.dmp
              Download
            • memory/1944-83-0x0000000000000000-mapping.dmp
              Download
            • memory/1948-85-0x0000000000000000-mapping.dmp
              Download
            • memory/1956-87-0x0000000000000000-mapping.dmp
              Download
            • memory/1988-98-0x0000000000000000-mapping.dmp
              Download