Overview

overview

10

Static

static

Takeaway.exe

windows7-x64

10

Takeaway.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2022 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Takeaway.exe

  • Size

    380KB

  • MD5

    a1ef511c6b47307948465fe6e1af6997

  • SHA1

    103f8cc1af6581b4be3f606fd86940d632a450d1

  • SHA256

    dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584

  • SHA512

    8cc28fc5e1e3e000e977f2f55fa9cf938dd29346e656d013c9ac126572d6eab469b3c3cac9d83683e37c3a220d1a12b22abb0d388483eab07a3ed92965be6821

  • SSDEEP

    6144:QsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3p0Ov6Po5/RrVqB8hgh6mTi:NxmIJQvPkitEqZR3p0u6+URTi

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email GetDecoding@zimbabwe.su YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: getdecoding@msgsafe.io Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

GetDecoding@zimbabwe.su

getdecoding@msgsafe.io

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Takeaway.exe
    "C:\Users\Admin\AppData\Local\Temp\Takeaway.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uimfrzco\uimfrzco.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA146.tmp" "c:\Users\Admin\AppData\Local\Temp\uimfrzco\CSC3B723571DD294859AE6D8A2FBE605F34.TMP"
          4⤵
            PID:4560
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File purgeMemory.ps1
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3960
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3676
        • C:\Users\Admin\AppData\Local\Temp\NS2.exe
          "C:\Users\Admin\AppData\Local\Temp\NS2.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:384
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            4⤵
              PID:3856
          • C:\Users\Admin\AppData\Local\Temp\winhost.exe
            "C:\Users\Admin\AppData\Local\Temp\winhost.exe"
            3⤵
            • Executes dropped EXE
            • Modifies extensions of user files
            • Checks computer location settings
            • Drops startup file
            • Adds Run key to start application
            • Drops desktop.ini file(s)
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:808
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1572
              • C:\Windows\system32\mode.com
                mode con cp select=1251
                5⤵
                  PID:4472
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:3732
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3100
                • C:\Windows\system32\mode.com
                  mode con cp select=1251
                  5⤵
                    PID:4692
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:4384
                • C:\Windows\System32\mshta.exe
                  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                  4⤵
                    PID:3128
                  • C:\Windows\System32\mshta.exe
                    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                    4⤵
                      PID:3180
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2336
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4928
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                1⤵
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                PID:1136

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              File Deletion

              2
              T1107

              Modify Registry

              1
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Inhibit System Recovery

              2
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                Filesize

                7KB

                MD5

                5cb4ca15a55ebd60ef96a0d6bcb2191f

                SHA1

                cf297b67810935a444e666714350d4c652445f06

                SHA256

                049afe797d619c72862eeea9d9befa904174e7e0c00cc261e52bbe69b687f66b

                SHA512

                02195bcbd066f08db559622d332f62087f414794555d745b5eca35b3b2031c4ba1ccb0b24a96e001cc7a226bccd7f2279a8e22db8ec3c5e7fbf89e66b2fb4c8a

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                Filesize

                53KB

                MD5

                124edf3ad57549a6e475f3bc4e6cfe51

                SHA1

                80f5187eeebb4a304e9caa0ce66fcd78c113d634

                SHA256

                638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

                SHA512

                b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                Filesize

                53KB

                MD5

                124edf3ad57549a6e475f3bc4e6cfe51

                SHA1

                80f5187eeebb4a304e9caa0ce66fcd78c113d634

                SHA256

                638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

                SHA512

                b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                24KB

                MD5

                2b86eac633d551dc7cdd11cede1e4cea

                SHA1

                e505371dbba0d14a5c1bbedd239ff82b1cb977ab

                SHA256

                8751b0b7b1219061e549ebd08435e7d8029efdba10bdecfe1527f71c755b67a3

                SHA512

                b66295899cb255291d400ae8de3082338850ce31d64aa1b3bd4d0ffcd59e98f53b0d06d5099653ca47b27fa73ccf8a589e78c2697e705ec5ae35f83afcc6520a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\NS2.exe
                Filesize

                125KB

                MD5

                597de376b1f80c06d501415dd973dcec

                SHA1

                629c9649ced38fd815124221b80c9d9c59a85e74

                SHA256

                f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

                SHA512

                072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\NS2.exe
                Filesize

                125KB

                MD5

                597de376b1f80c06d501415dd973dcec

                SHA1

                629c9649ced38fd815124221b80c9d9c59a85e74

                SHA256

                f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

                SHA512

                072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESA146.tmp
                Filesize

                1KB

                MD5

                2a44e4dec8fd5d6514149cc7c960beba

                SHA1

                036f27fcd9fc80a0b2750f176bb20fa89a653f6c

                SHA256

                e0e7fc8d9e9029b60440a407eff88a6f551c14ece1bc0d702286c466aeec645e

                SHA512

                b7bbe92b5f7d96078d31e91cfd2d24a668e8cf9d030d58617f4b5f69c1a23120dd09870334ff680eb3e047d963b2374ba044dd26ec976b0563260106a1e89cfd

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\purgeMemory.ps1
                Filesize

                8KB

                MD5

                31e22820cba11f6c7670854ed65f09ed

                SHA1

                9ab447c539234e75b56b3e180f3541580ffa0cea

                SHA256

                6a808299703119635c68fcadb14b7301775b49eb5948aeb319b6728f1686f035

                SHA512

                fbc97b21f9627687070edf9727f68062e8d5d71447497a0a0bd63bbe2ea3b0e753849226cb4cd9688f838e103e348dc070dc8360937e2662ff23291c4b2910fe

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\takeaway.ps1
                Filesize

                3KB

                MD5

                08c0963ddf483e5c233026380de1b6d0

                SHA1

                1e3a06d038a48c76a6ad0c400cf145109e7179b7

                SHA256

                488590a74e0ab3e1a8942146d3b0f1ce1c0a0841fede177406635bb68cc7ba59

                SHA512

                a73d58c5881468d504dc67b6ff1830d2147394717ef3ed8dd8489ae060d1d3a12eac7c500d7d5f0f915e6497a19f43c08ada089f5b9855f34a99898fc772317f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\uimfrzco\uimfrzco.dll
                Filesize

                3KB

                MD5

                2002a0424a227870b3a4ef95e3fb14e1

                SHA1

                44bcb2c5dcd8f5ca1eba5d16364622b8836cc5a1

                SHA256

                df31c5d9c8cfd957a6942e3f0225b62e99085a68b2f32823bf27f077f55cbaaf

                SHA512

                85c4347a367cbd6d13b299f3c5ec09c70f8767a12a414753428387e98e74f663daefee5a9d673528f3823e69c3372b266c3c6b78818c9e7bbc2b810e3e01957e

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\winhost.exe
                Filesize

                92KB

                MD5

                c24f6144e905b717a372c529d969611e

                SHA1

                0a297e9e5c807c06ad10f4f746f4f9e256df6743

                SHA256

                94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

                SHA512

                f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\winhost.exe
                Filesize

                92KB

                MD5

                c24f6144e905b717a372c529d969611e

                SHA1

                0a297e9e5c807c06ad10f4f746f4f9e256df6743

                SHA256

                94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

                SHA512

                f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                Filesize

                6KB

                MD5

                6455aa211d483fd5dd13bc2f8dc7bfa7

                SHA1

                41f0a48fbdafb734f298656f68dedb3a12b9a8a2

                SHA256

                5e7cc3ad94f2dfbe58eb7b891b8022dea8a298dcdc05dbc1f5d92fbfac131db8

                SHA512

                3fd51dc7ad37fc18a83dbb7f22fc6512edeba15147a7f42f0dcb3830d8be07bf12f94ebcfc0016108a30d3913901a16a191bf7c6ad3f73c84f416da0bd35e121

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                Filesize

                7KB

                MD5

                5cb4ca15a55ebd60ef96a0d6bcb2191f

                SHA1

                cf297b67810935a444e666714350d4c652445f06

                SHA256

                049afe797d619c72862eeea9d9befa904174e7e0c00cc261e52bbe69b687f66b

                SHA512

                02195bcbd066f08db559622d332f62087f414794555d745b5eca35b3b2031c4ba1ccb0b24a96e001cc7a226bccd7f2279a8e22db8ec3c5e7fbf89e66b2fb4c8a

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\uimfrzco\CSC3B723571DD294859AE6D8A2FBE605F34.TMP
                Filesize

                652B

                MD5

                62890d30ac092f69c5d4926454acb3bf

                SHA1

                b3919dbc0d4b7375066d104f27ca58ae9bba2256

                SHA256

                98ef4c53e5c093ad3548a8a78a26041dd3f1f7f5673a55a6044fc29c89dd9371

                SHA512

                20bc083c924f46bb30449ce33c207a2eafd686623c48e5ca7d1dfe1615ae959c470868977b2d10b7e54c67848a18102ac007ec100bffab15cd16553e022cce94

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\uimfrzco\uimfrzco.0.cs
                Filesize

                308B

                MD5

                9c478287d8b4ad6cd34ac20bdac9577c

                SHA1

                73965974950d1be20682abc2f716e5070f2c7097

                SHA256

                8bb1e373d78c7c750ac20b5b0ec3dfcd1e8e74ca8d6accde1e02aa2c205c776f

                SHA512

                b0c435e194b5a72c50ddccf2bc84d178e5e1872f4ed3f630a661d187f77f4eb095a08303e4d243c45384a84b717fd2d5c76c5c4274cade5ad1a09dcdcd4ca6a2

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\uimfrzco\uimfrzco.cmdline
                Filesize

                369B

                MD5

                7a5f236a3212f715badc84413f9d50c4

                SHA1

                12c6ad088378c515ea0d337fc5c355e26250db1e

                SHA256

                fa4147116cd2acf7852f3b2ec14b2584519ee99faa7b8f21bbcb4e9551951152

                SHA512

                598963b97d0d5daa4c0d74e2ca00c6b9a1938d037c4ad56caa316b5169017f13be4d8609583546fb615a2c3b65efa4fa8b1a91001b14f32f3913a9509782f4e2

                Download Submit
              • memory/384-164-0x0000000000000000-mapping.dmp
                Download
              • memory/808-167-0x0000000000000000-mapping.dmp
                Download
              • memory/1064-142-0x0000000000000000-mapping.dmp
                Download
              • memory/1572-169-0x0000000000000000-mapping.dmp
                Download
              • memory/2236-160-0x0000000007AC0000-0x0000000007ACE000-memory.dmp
                Filesize

                56KB

                Download
              • memory/2236-134-0x0000000004DB0000-0x00000000053D8000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/2236-157-0x0000000007190000-0x00000000071AE000-memory.dmp
                Filesize

                120KB

                Download
              • memory/2236-158-0x00000000072E0000-0x00000000072EA000-memory.dmp
                Filesize

                40KB

                Download
              • memory/2236-155-0x0000000070180000-0x00000000701CC000-memory.dmp
                Filesize

                304KB

                Download
              • memory/2236-132-0x0000000000000000-mapping.dmp
                Download
              • memory/2236-161-0x0000000007B40000-0x0000000007B5A000-memory.dmp
                Filesize

                104KB

                Download
              • memory/2236-162-0x0000000007B30000-0x0000000007B38000-memory.dmp
                Filesize

                32KB

                Download
              • memory/2236-154-0x00000000071B0000-0x00000000071E2000-memory.dmp
                Filesize

                200KB

                Download
              • memory/2236-133-0x0000000004740000-0x0000000004776000-memory.dmp
                Filesize

                216KB

                Download
              • memory/2236-151-0x0000000008070000-0x0000000008614000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/2236-150-0x0000000006DC0000-0x0000000006DE2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/2236-149-0x0000000006E60000-0x0000000006EF6000-memory.dmp
                Filesize

                600KB

                Download
              • memory/2236-136-0x0000000005510000-0x0000000005576000-memory.dmp
                Filesize

                408KB

                Download
              • memory/2236-141-0x0000000006100000-0x000000000611A000-memory.dmp
                Filesize

                104KB

                Download
              • memory/2236-137-0x00000000055F0000-0x0000000005656000-memory.dmp
                Filesize

                408KB

                Download
              • memory/2236-138-0x0000000005BE0000-0x0000000005BFE000-memory.dmp
                Filesize

                120KB

                Download
              • memory/2236-156-0x00000000702E0000-0x0000000070634000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/2236-135-0x0000000004D30000-0x0000000004D52000-memory.dmp
                Filesize

                136KB

                Download
              • memory/2236-140-0x0000000007440000-0x0000000007ABA000-memory.dmp
                Filesize

                6.5MB

                Download
              • memory/3100-182-0x0000000000000000-mapping.dmp
                Download
              • memory/3128-184-0x0000000000000000-mapping.dmp
                Download
              • memory/3180-185-0x0000000000000000-mapping.dmp
                Download
              • memory/3676-177-0x0000000000000000-mapping.dmp
                Download
              • memory/3732-171-0x0000000000000000-mapping.dmp
                Download
              • memory/3856-172-0x0000000000000000-mapping.dmp
                Download
              • memory/3960-176-0x000000000A7D0000-0x000000000A7FC000-memory.dmp
                Filesize

                176KB

                Download
              • memory/3960-174-0x00000000702E0000-0x0000000070634000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/3960-173-0x0000000070180000-0x00000000701CC000-memory.dmp
                Filesize

                304KB

                Download
              • memory/3960-152-0x0000000000000000-mapping.dmp
                Download
              • memory/4384-186-0x0000000000000000-mapping.dmp
                Download
              • memory/4472-170-0x0000000000000000-mapping.dmp
                Download
              • memory/4560-145-0x0000000000000000-mapping.dmp
                Download
              • memory/4692-183-0x0000000000000000-mapping.dmp
                Download