Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-11-2020 21:55
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10v20201028
General
-
Target
lsass.exe
-
Size
214KB
-
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1
-
SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec
-
SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
-
SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3404 created 4052 3404 WerFault.exe explorer.exe -
ServiceHost packer 14 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/4052-15-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-14-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-16-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-17-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-18-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-19-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-20-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-21-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-22-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-23-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-24-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-26-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-25-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4052-27-0x0000000000000000-mapping.dmp servicehost -
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 4052 explorer.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 3708 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lsass.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" lsass.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\Y: explorer.exe File opened (read-only) \??\T: explorer.exe File opened (read-only) \??\N: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\O: explorer.exe File opened (read-only) \??\L: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\Z: explorer.exe File opened (read-only) \??\U: explorer.exe File opened (read-only) \??\S: explorer.exe File opened (read-only) \??\P: explorer.exe File opened (read-only) \??\Q: explorer.exe File opened (read-only) \??\M: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\X: explorer.exe File opened (read-only) \??\W: explorer.exe File opened (read-only) \??\V: explorer.exe File opened (read-only) \??\R: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\B: explorer.exe File opened (read-only) \??\A: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 geoiptool.com -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3916 4052 WerFault.exe explorer.exe 3404 4052 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Processes:
lsass.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lsass.exe -
Suspicious behavior: EnumeratesProcesses 848 IoCs
Processes:
explorer.exepid process 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe 4052 explorer.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
lsass.exeWerFault.exeWerFault.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2484 lsass.exe Token: SeDebugPrivilege 2484 lsass.exe Token: SeRestorePrivilege 3916 WerFault.exe Token: SeBackupPrivilege 3916 WerFault.exe Token: SeDebugPrivilege 3916 WerFault.exe Token: SeDebugPrivilege 3404 WerFault.exe Token: SeDebugPrivilege 3344 taskmgr.exe Token: SeSystemProfilePrivilege 3344 taskmgr.exe Token: SeCreateGlobalPrivilege 3344 taskmgr.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
taskmgr.exepid process 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe -
Suspicious use of SendNotifyMessage 13 IoCs
Processes:
taskmgr.exepid process 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe 3344 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
lsass.exedescription pid process target process PID 2484 wrote to memory of 4052 2484 lsass.exe explorer.exe PID 2484 wrote to memory of 4052 2484 lsass.exe explorer.exe PID 2484 wrote to memory of 4052 2484 lsass.exe explorer.exe PID 2484 wrote to memory of 3708 2484 lsass.exe notepad.exe PID 2484 wrote to memory of 3708 2484 lsass.exe notepad.exe PID 2484 wrote to memory of 3708 2484 lsass.exe notepad.exe PID 2484 wrote to memory of 3708 2484 lsass.exe notepad.exe PID 2484 wrote to memory of 3708 2484 lsass.exe notepad.exe PID 2484 wrote to memory of 3708 2484 lsass.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 17803⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 18003⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
e5be8c65934ad0c00c584026d085108e
SHA16ce4c8bc54630bf9f70d3fe93ce91bf44004439f
SHA25668413df5f5923c0283167f5bf10bb7a65b1cdbea7602d263f64af49820efa315
SHA51250470648453a249e3ec06572fd418a123bd0500291a8b3bc0c7cde453ac36e027130f49f01c17ab21034d6033abe1f81402166ee80460b0fcb56856f20db2539
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
3208da0c038576623565b095fcea4ad1
SHA1bc421f8eb4b9c6100aa444edece988c01dd63b26
SHA25616ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b
SHA51217fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3bf227caeee1b07d47b29873a1640f1a
SHA161af6e587db89d7d7f518bb1e16c2d73451e5ed6
SHA25630becef61dd6dd9d8b0402aec82db12ebb3ef7b76d854ca1f8bd30fa50ab5980
SHA51229a3663efa62ccc6dce4e083b7e43e80560de48ebc0eebfff5aed1fc158f0ed65a009589046773cb3c97588005219f45ae414c53f7bffe5a0a2ec80b0c2a903e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
65bf6594d95dd6390855b90b1dbe7996
SHA15ee9ac14e902068de265852e88c599dd5e9018d1
SHA2565a6c3e078b44ec56677cc51be7363932d749263cc96c3a981c2c36e2d373b12d
SHA5127506d63de159db90652bcd3db10900e5cda8bbb4e17f7b2f59e3de809f059142803d8146f3d0bafa26d24e8f1b76552577ceefff567e58a20e3fa1cfc53602a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
e9c0b652bef494aa397b601ed0100410
SHA1f9e619404ebe27122d7fa0c7f211994da659096e
SHA256d91da219d0d454dbb67b624adcbc71a5dcccc2f1fc114f8a1af3d03f5edef38a
SHA512d42a80d7d2c0c5756e4c4e06a56a6e795ca268140a51edef915db6f1909bc42ea29a136c3fb8d67d5fc1c1409019acf889e0256d25dbcdfa46e9e014233f50a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
0e094aa6e4c1942162e5ec20d7c1ee01
SHA12ef7913cc74540858daddfe437767b1a18e568cb
SHA25622f4cc935e4aca60f79b475531b023069c7341f752e548e3d11bf2c361f4dd9e
SHA512478dcd74baccc60b89f8ff1a49d4d10b65bc62d999261e00ad4ae8401b9972d93d7fcdbfacee5ffb1bed639de597966c20252481b7c29f712a3569f4c6a8dc73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\QA26QEM1.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\7E8NEBMU.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
memory/3404-67-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/3404-51-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/3404-50-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/3708-4-0x0000000000000000-mapping.dmp
-
memory/3708-3-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/3916-28-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/3916-13-0x0000000004400000-0x0000000004401000-memory.dmpFilesize
4KB
-
memory/4052-15-0x0000000000000000-mapping.dmp
-
memory/4052-46-0x0000000000000000-mapping.dmp
-
memory/4052-19-0x0000000000000000-mapping.dmp
-
memory/4052-20-0x0000000000000000-mapping.dmp
-
memory/4052-21-0x0000000000000000-mapping.dmp
-
memory/4052-22-0x0000000000000000-mapping.dmp
-
memory/4052-23-0x0000000000000000-mapping.dmp
-
memory/4052-24-0x0000000000000000-mapping.dmp
-
memory/4052-26-0x0000000000000000-mapping.dmp
-
memory/4052-25-0x0000000000000000-mapping.dmp
-
memory/4052-27-0x0000000000000000-mapping.dmp
-
memory/4052-17-0x0000000000000000-mapping.dmp
-
memory/4052-37-0x0000000000000000-mapping.dmp
-
memory/4052-38-0x0000000000000000-mapping.dmp
-
memory/4052-39-0x0000000000000000-mapping.dmp
-
memory/4052-40-0x0000000000000000-mapping.dmp
-
memory/4052-41-0x0000000000000000-mapping.dmp
-
memory/4052-42-0x0000000000000000-mapping.dmp
-
memory/4052-43-0x0000000000000000-mapping.dmp
-
memory/4052-44-0x0000000000000000-mapping.dmp
-
memory/4052-45-0x0000000000000000-mapping.dmp
-
memory/4052-18-0x0000000000000000-mapping.dmp
-
memory/4052-47-0x0000000000000000-mapping.dmp
-
memory/4052-48-0x0000000000000000-mapping.dmp
-
memory/4052-49-0x0000000000000000-mapping.dmp
-
memory/4052-16-0x0000000000000000-mapping.dmp
-
memory/4052-14-0x0000000000000000-mapping.dmp
-
memory/4052-53-0x0000000000000000-mapping.dmp
-
memory/4052-54-0x0000000000000000-mapping.dmp
-
memory/4052-55-0x0000000000000000-mapping.dmp
-
memory/4052-56-0x0000000000000000-mapping.dmp
-
memory/4052-57-0x0000000000000000-mapping.dmp
-
memory/4052-58-0x0000000000000000-mapping.dmp
-
memory/4052-59-0x0000000000000000-mapping.dmp
-
memory/4052-60-0x0000000000000000-mapping.dmp
-
memory/4052-61-0x0000000000000000-mapping.dmp
-
memory/4052-62-0x0000000000000000-mapping.dmp
-
memory/4052-63-0x0000000000000000-mapping.dmp
-
memory/4052-64-0x0000000000000000-mapping.dmp
-
memory/4052-65-0x0000000000000000-mapping.dmp
-
memory/4052-66-0x0000000000000000-mapping.dmp
-
memory/4052-0-0x0000000000000000-mapping.dmp