Analysis
-
max time kernel
131s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe
Resource
win10v20201028
General
-
Target
209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe
-
Size
94KB
-
MD5
69f1172b3f31746992b86467578d5ab2
-
SHA1
f24491dc99ad02f0d1c502b312df0b51670db738
-
SHA256
209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe
-
SHA512
a893f5d07f3db175eec9441197b499ce856a089386a2d95f0dd4cd37734e060f9216125425f229841e8a8c825dddc2c26e82ccd41d802d7f55dbf0ea321b7c46
Malware Config
Extracted
C:\Users\Public\Libraries\CBC76-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Users\Admin\Music\CBC76-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral2/memory/1028-1-0x0000000000BC0000-0x0000000000BDB000-memory.dmp netwalker_ransomware behavioral2/memory/2492-2-0x0000000002B80000-0x0000000002B9B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\BlockConvert.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2492 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbc7686a = "C:\\Program Files (x86)\\cbc7686a\\cbc7686a.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exedescription pid process target process PID 1028 set thread context of 2492 1028 209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe explorer.exe -
Drops file in Program Files directory 17165 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\opt-in-ad-popup.wav explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\classic.mobile.jpg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-400.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-150.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5372_32x32x32.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\AppxSignature.p7x explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4613_20x20x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Premium_base.jpg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\CBC76-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\CBC76-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-125.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\no_get.svg explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\CBC76-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.PhoneNumber.SMS.model explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-100_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_48x48x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ws_60x42.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PeopleSplashScreen.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd2.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-300.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-300.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-300.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\ui-strings.js explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\StarClubTile.Small.jpg explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-72x72-precomposed.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-80.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\LINEAR_RGB.pf explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_delete@1x.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\PlayStore_icon.svg explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\649_40x40x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-400.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\CBC76-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\IncomingCallBrandingImage.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.scale-200.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\CBC76-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-16.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\thinking.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-200.png explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 676 vssadmin.exe 6752 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 25845 IoCs
Processes:
explorer.exeexplorer.exepid process 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe 3784 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exeexplorer.exepid process 1028 209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe 2492 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3784 explorer.exe Token: SeBackupPrivilege 184 vssvc.exe Token: SeRestorePrivilege 184 vssvc.exe Token: SeAuditPrivilege 184 vssvc.exe Token: SeDebugPrivilege 2492 explorer.exe Token: SeImpersonatePrivilege 2492 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exeexplorer.exeexplorer.exedescription pid process target process PID 1028 wrote to memory of 2492 1028 209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe explorer.exe PID 1028 wrote to memory of 2492 1028 209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe explorer.exe PID 1028 wrote to memory of 2492 1028 209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe explorer.exe PID 2492 wrote to memory of 3784 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 3784 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 3784 2492 explorer.exe explorer.exe PID 3784 wrote to memory of 676 3784 explorer.exe vssadmin.exe PID 3784 wrote to memory of 676 3784 explorer.exe vssadmin.exe PID 2492 wrote to memory of 4412 2492 explorer.exe notepad.exe PID 2492 wrote to memory of 4412 2492 explorer.exe notepad.exe PID 2492 wrote to memory of 4412 2492 explorer.exe notepad.exe PID 2492 wrote to memory of 6752 2492 explorer.exe vssadmin.exe PID 2492 wrote to memory of 6752 2492 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe"C:\Users\Admin\AppData\Local\Temp\209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\CBC76-Readme.txt"3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\CBC76-Readme.txtMD5
6e9cdd3f39f50903beba6b8afe6968c8
SHA15845aa21bc374eeb794de83dda1afe43086e8d8b
SHA256f23e4bafdfed627c0b2ec831cd0abbaace9943426ee6ce7434713b3de7bddd21
SHA512e65f173a2b0e350f0498b94fbf98b66a8f13c7f5f0f84c4a82e66e61a9aa3ece9549b11f87931cff01ee855d7fb9829898b02d27f21a507144b9cedb537a7868
-
memory/676-4-0x0000000000000000-mapping.dmp
-
memory/1028-1-0x0000000000BC0000-0x0000000000BDB000-memory.dmpFilesize
108KB
-
memory/2492-0-0x0000000000000000-mapping.dmp
-
memory/2492-2-0x0000000002B80000-0x0000000002B9B000-memory.dmpFilesize
108KB
-
memory/3784-3-0x0000000000000000-mapping.dmp
-
memory/4412-6-0x0000000000000000-mapping.dmp
-
memory/6752-7-0x0000000000000000-mapping.dmp