da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740

Analysis

max time kernel
156s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
Size

4.8MB
MD5

52892e52a02453b4b4c19243aa2d6ac7
SHA1

d1ad866e6ca77d3fbe7252db58528240f7c444db
SHA256

da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740
SHA512

16c15f63c585a459b3e83482e4171fe5b86a8bd6e142636618b7f2240d47fd59813abb44f2bec59735f7711b8b8cc02e14a9eca7d0a4a2f339f158244b24716b
SSDEEP

98304:Pcj2HBOSbXcjxJyKFnbU2rsygBuyz0ANbXBdijekvX4jtfKillblA7CjmiU/F7KY:kaEaXWYUnA2rsNLWPX4Bv0CmiU92w

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ntsmss.exesvchost.exe

pid process

1996 ntsmss.exe
3768 svchost.exe

pid	process
1996	ntsmss.exe
3768	svchost.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\libcurl.dll	vmprotect
C:\Users\Admin\AppData\Local\Temp\libcurl.dll	vmprotect
behavioral2/memory/3768-161-0x0000000180000000-0x00000001800C2000-memory.dmp	vmprotect
behavioral2/memory/3768-164-0x0000000180000000-0x00000001800C2000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exentsmss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ntsmss.exe

Loads dropped DLL 4 IoCs

Processes:

svchost.exe

pid process

3768 svchost.exe
3768 svchost.exe
3768 svchost.exe
3768 svchost.exe

pid	process
3768	svchost.exe
3768	svchost.exe
3768	svchost.exe
3768	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exentsmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows RaiseException Service = "C:\\Users\\Admin\\AppData\\Roaming\\RaiseException\\ntsmss.exe"	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Windows RaiseException Service = "C:\\Users\\Admin\\AppData\\Roaming\\RaiseException\\ntsmss.exe"	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	ntsmss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Windows RaiseException Service = "C:\\Users\\Admin\\AppData\\Roaming\\RaiseException\\ntsmss.exe"	ntsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4664 taskkill.exe
4320 taskkill.exe
4508 taskkill.exe
4148 taskkill.exe
4824 taskkill.exe
1672 taskkill.exe
604 taskkill.exe
4992 taskkill.exe

pid	process
4664	taskkill.exe
4320	taskkill.exe
4508	taskkill.exe
4148	taskkill.exe
4824	taskkill.exe
1672	taskkill.exe
604	taskkill.exe
4992	taskkill.exe

Modifies registry class 2 IoCs

Processes:

da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exentsmss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ntsmss.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exentsmss.exe

pid	process
4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
1996	ntsmss.exe
1996	ntsmss.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeLockMemoryPrivilege	3768	svchost.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exentsmss.exe

description	pid	process	target process
PID 4204 wrote to memory of 4320	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4320	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4320	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4508	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4508	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4508	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4148	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4148	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4148	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4824	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4824	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 4824	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	taskkill.exe
PID 4204 wrote to memory of 1996	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	ntsmss.exe
PID 4204 wrote to memory of 1996	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	ntsmss.exe
PID 4204 wrote to memory of 1996	4204	da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe	ntsmss.exe
PID 1996 wrote to memory of 1672	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 1672	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 1672	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 604	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 604	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 604	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 4992	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 4992	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 4992	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 4664	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 4664	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 4664	1996	ntsmss.exe	taskkill.exe
PID 1996 wrote to memory of 3768	1996	ntsmss.exe	svchost.exe
PID 1996 wrote to memory of 3768	1996	ntsmss.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
"C:\Users\Admin\AppData\Local\Temp\da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CheckServer.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im WerFault.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im exceptionfilter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Users\Admin\AppData\Roaming\RaiseException\ntsmss.exe
"C:\Users\Admin\AppData\Roaming\RaiseException\ntsmss.exe" C:\Users\Admin\AppData\Local\Temp\da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CheckServer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im WerFault.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im exceptionfilter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe" -a cryptonight -o stratum+tcp://pool.cryptoescrow.eu:3333 -u 46sSETXrZGT8bupxdc2MAbLe3PMV9nJTRTE5uaFErXFz6ymyzVdH86KDb9TNoG4ny5QLELfopynWeBSMoT1M2Ga8RBkDqTH -p x -t 2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSVCR100.dll
Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl.dll
Filesize
341KB

MD5
d1c5379a98047acadaf97b35dcb239e3

SHA1
9b60fcab990cbbb237b15e6a52e29ffabca13760

SHA256
90100f13e683e8ea8196a938a9f1aad8888211a395afaba6bb55359767e00f26

SHA512
acd489256514510ff23500d9340533d4dac3e362d8f38ebf9e46fffb051b75bfd844e325ffd39b980114f718e09b3cdf01716600e14d9263ad139e0119bec841

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl.dll
Filesize
341KB

MD5
d1c5379a98047acadaf97b35dcb239e3

SHA1
9b60fcab990cbbb237b15e6a52e29ffabca13760

SHA256
90100f13e683e8ea8196a938a9f1aad8888211a395afaba6bb55359767e00f26

SHA512
acd489256514510ff23500d9340533d4dac3e362d8f38ebf9e46fffb051b75bfd844e325ffd39b980114f718e09b3cdf01716600e14d9263ad139e0119bec841

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr100.dll
Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr100.dll
Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\pthreadVC2.dll
Filesize
81KB

MD5
4a502706d149c2f5854131a7758a90e2

SHA1
845842f909769a673138553748ad09e609ec3e17

SHA256
0e6af724609ef6846982ef717013426c359c455fff324e906d8d55c8bb88d16e

SHA512
1cdc7d92dfee299850fe8703509e3cf33470470d239b27ca9d5760d3fd01775c3512b80e4b9bdca9f782c2193be0c0a554c1bb37c1a99e435e96e14902386161

Download Submit
C:\Users\Admin\AppData\Local\Temp\pthreadVC2.dll
Filesize
81KB

MD5
4a502706d149c2f5854131a7758a90e2

SHA1
845842f909769a673138553748ad09e609ec3e17

SHA256
0e6af724609ef6846982ef717013426c359c455fff324e906d8d55c8bb88d16e

SHA512
1cdc7d92dfee299850fe8703509e3cf33470470d239b27ca9d5760d3fd01775c3512b80e4b9bdca9f782c2193be0c0a554c1bb37c1a99e435e96e14902386161

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
210KB

MD5
f269f2f43288c764d42ad78a6f2b09cb

SHA1
aefafdcb035f361e8786ce4e10e122684c674cbe

SHA256
3017c9c2d33d932e7180103cf86996d0df6de73c86eebd3f6425be188d8bcb93

SHA512
278f11d99ef8f393155151031273550de66526220f790646c343a7ce0114f37a4758d575e17ffeab74a5ccb77a8f139577ee0513478704f6422a0543b73a4b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
210KB

MD5
f269f2f43288c764d42ad78a6f2b09cb

SHA1
aefafdcb035f361e8786ce4e10e122684c674cbe

SHA256
3017c9c2d33d932e7180103cf86996d0df6de73c86eebd3f6425be188d8bcb93

SHA512
278f11d99ef8f393155151031273550de66526220f790646c343a7ce0114f37a4758d575e17ffeab74a5ccb77a8f139577ee0513478704f6422a0543b73a4b5d

Download Submit
C:\Users\Admin\AppData\Roaming\RaiseException\ntsmss.exe
Filesize
4.8MB

MD5
52892e52a02453b4b4c19243aa2d6ac7

SHA1
d1ad866e6ca77d3fbe7252db58528240f7c444db

SHA256
da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740

SHA512
16c15f63c585a459b3e83482e4171fe5b86a8bd6e142636618b7f2240d47fd59813abb44f2bec59735f7711b8b8cc02e14a9eca7d0a4a2f339f158244b24716b

Download Submit
C:\Users\Admin\AppData\Roaming\RaiseException\ntsmss.exe
Filesize
4.8MB

MD5
52892e52a02453b4b4c19243aa2d6ac7

SHA1
d1ad866e6ca77d3fbe7252db58528240f7c444db

SHA256
da90aebcc0d981ed6c0f5a0c031751b0858f7b4accd571ac2acdfc7b496d9740

SHA512
16c15f63c585a459b3e83482e4171fe5b86a8bd6e142636618b7f2240d47fd59813abb44f2bec59735f7711b8b8cc02e14a9eca7d0a4a2f339f158244b24716b

Download Submit
memory/604-148-0x0000000000000000-mapping.dmp

Download
memory/1672-147-0x0000000000000000-mapping.dmp

Download
memory/1996-144-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/1996-145-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/1996-146-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/1996-163-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/1996-140-0x0000000000000000-mapping.dmp

Download
memory/3768-164-0x0000000180000000-0x00000001800C2000-memory.dmp

Filesize
776KB

Download
memory/3768-161-0x0000000180000000-0x00000001800C2000-memory.dmp

Filesize
776KB

Download
memory/3768-151-0x0000000000000000-mapping.dmp

Download
memory/4148-137-0x0000000000000000-mapping.dmp

Download
memory/4204-139-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/4204-143-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/4204-134-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/4204-133-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/4204-132-0x0000000000400000-0x0000000000EAA000-memory.dmp

Filesize
10.7MB

Download
memory/4320-135-0x0000000000000000-mapping.dmp

Download
memory/4508-136-0x0000000000000000-mapping.dmp

Download
memory/4664-150-0x0000000000000000-mapping.dmp

Download
memory/4824-138-0x0000000000000000-mapping.dmp

Download
memory/4992-149-0x0000000000000000-mapping.dmp

Download