Analysis

  • max time kernel
    147s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 14:56

General

  • Target

    8cc23b0aaa5df43e2bfd85ba9d8e5ac83f1070a96aeb09f533b7b6be50602ac6.exe

  • Size

    4.2MB

  • MD5

    222ed21454fe20b7b03ddfdea73f38af

  • SHA1

    a96bcb7230d6b1898047a0b39a6dc6d2654d0a42

  • SHA256

    8cc23b0aaa5df43e2bfd85ba9d8e5ac83f1070a96aeb09f533b7b6be50602ac6

  • SHA512

    f2221af308723a0ecdc85196733bed7c52d5d2369b9ec11c095c96f82875521856c0e402814240467da8df0bf1b40ef7e7d5faae27f58a83d66cd9fd98dd81f0

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 9 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cc23b0aaa5df43e2bfd85ba9d8e5ac83f1070a96aeb09f533b7b6be50602ac6.exe
    "C:\Users\Admin\AppData\Local\Temp\8cc23b0aaa5df43e2bfd85ba9d8e5ac83f1070a96aeb09f533b7b6be50602ac6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\done.sfx.exe
        done.sfx.exe -p12345 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Users\Admin\AppData\Local\Temp\done.exe
          "C:\Users\Admin\AppData\Local\Temp\done.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Program Files (x86)\Skype\Skype\install.bat" "
            5⤵
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:1608
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im 4t4t5
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2028
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im g4rgt
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:864
            • C:\Windows\SysWOW64\reg.exe
              reg delete "70t9j" /f
              6⤵
                PID:1092
              • C:\Windows\SysWOW64\regedit.exe
                regedit /s "regedit.reg"
                6⤵
                • Runs .reg file with regedit
                PID:1816
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h "C:\Program Files\rtsd\*.*"
                6⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:340
              • C:\Program Files\rtsd\rutserv.exe
                rutserv.exe /silentinstall
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:576
              • C:\Program Files\rtsd\rutserv.exe
                rutserv.exe /firewall
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:1828
              • C:\Program Files\rtsd\rutserv.exe
                rutserv.exe /start
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1692
    • C:\Program Files\rtsd\rutserv.exe
      "C:\Program Files\rtsd\rutserv.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Program Files\rtsd\rfusclient.exe
        "C:\Program Files\rtsd\rfusclient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Program Files\rtsd\rfusclient.exe
          "C:\Program Files\rtsd\rfusclient.exe" /tray
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: SetClipboardViewer
          PID:752
      • C:\Program Files\rtsd\rfusclient.exe
        "C:\Program Files\rtsd\rfusclient.exe" /tray
        2⤵
        • Executes dropped EXE
        PID:1752

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Skype\Skype\install.bat

      Filesize

      884B

      MD5

      fd6bef56a5dc776691926eb3aa7b5279

      SHA1

      da94eb0f6ca09850decb74326fe7894253dfec6c

      SHA256

      db1602d244bad54475174194204f4604804094c8156b8ea2b1dc81879be8ac92

      SHA512

      3694350a2efaece3664c96327f0fc6cb77a87d68313a3011824953650b9afc40d19b2db1743dbbd317a223d5463c7a8eae1518a9b1e417226e930a941c7f830c

    • C:\Program Files (x86)\Skype\Skype\regedit.reg

      Filesize

      12KB

      MD5

      be9eab82e90b682ee82da98a7c77fede

      SHA1

      d1ac691345dc42dc253c441e92f4e54e74135451

      SHA256

      49525765484a492bdc74a26bf2baf5f2dda6907dc1866ca80bd3d97c1177fd4d

      SHA512

      047aa0866e1c4c64ddbda3621741a117f6ce3f2cfb25dee275af26ac398d1af2148d4f068ddb84105215b52bd44932d72b6469c06a1c390a35edbd1768718204

    • C:\Program Files (x86)\Skype\Skype\rfusclient.exe

      Filesize

      1.5MB

      MD5

      f2e9b5c7de59ec84d6c066336030be1a

      SHA1

      90248d5428a8bf497a1557e1bd39c4e30d251b7f

      SHA256

      1e1ae9fdf6c9ee34d42fb2e65790bbbf4d4ef1cc9a474925f77991d323f91896

      SHA512

      48550543c7f4a4739fd70cb8da8882cfbadeea885853f174552655fca9554deab3db4480a8a021cd3ae5e6f7872ba9fcddd396c3feccdbfcc511d83074dc43ff

    • C:\Program Files (x86)\Skype\Skype\rutserv.exe

      Filesize

      1.8MB

      MD5

      1a200526e310fc51317804a0781ff47f

      SHA1

      2f586b57dad7f40cdb822acff9ba081671716235

      SHA256

      cd80744e9965b3cc76acd0ea5062a2eca70a69f8a93a0eeea5bd4c47f53a5d96

      SHA512

      ad38c5eab8d8e642f3d19e7a2926e5dbfbb63a67c73a27b3bd31cbc27de10d3f1731ce650333b75222fb371de07849aa3d65a8c787e9408b0b628ff6d8b839ad

    • C:\Program Files (x86)\Skype\Skype\vp8decoder.dll

      Filesize

      378KB

      MD5

      d43fa82fab5337ce20ad14650085c5d9

      SHA1

      678aa092075ff65b6815ffc2d8fdc23af8425981

      SHA256

      c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

      SHA512

      103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

    • C:\Program Files (x86)\Skype\Skype\vp8encoder.dll

      Filesize

      1.6MB

      MD5

      dab4646806dfca6d0e0b4d80fa9209d6

      SHA1

      8244dfe22ec2090eee89dad103e6b2002059d16a

      SHA256

      cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

      SHA512

      aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

    • C:\Program Files\rtsd\rfusclient.exe

      Filesize

      1.5MB

      MD5

      f2e9b5c7de59ec84d6c066336030be1a

      SHA1

      90248d5428a8bf497a1557e1bd39c4e30d251b7f

      SHA256

      1e1ae9fdf6c9ee34d42fb2e65790bbbf4d4ef1cc9a474925f77991d323f91896

      SHA512

      48550543c7f4a4739fd70cb8da8882cfbadeea885853f174552655fca9554deab3db4480a8a021cd3ae5e6f7872ba9fcddd396c3feccdbfcc511d83074dc43ff

    • C:\Program Files\rtsd\rfusclient.exe

      Filesize

      1.5MB

      MD5

      f2e9b5c7de59ec84d6c066336030be1a

      SHA1

      90248d5428a8bf497a1557e1bd39c4e30d251b7f

      SHA256

      1e1ae9fdf6c9ee34d42fb2e65790bbbf4d4ef1cc9a474925f77991d323f91896

      SHA512

      48550543c7f4a4739fd70cb8da8882cfbadeea885853f174552655fca9554deab3db4480a8a021cd3ae5e6f7872ba9fcddd396c3feccdbfcc511d83074dc43ff

    • C:\Program Files\rtsd\rfusclient.exe

      Filesize

      1.5MB

      MD5

      f2e9b5c7de59ec84d6c066336030be1a

      SHA1

      90248d5428a8bf497a1557e1bd39c4e30d251b7f

      SHA256

      1e1ae9fdf6c9ee34d42fb2e65790bbbf4d4ef1cc9a474925f77991d323f91896

      SHA512

      48550543c7f4a4739fd70cb8da8882cfbadeea885853f174552655fca9554deab3db4480a8a021cd3ae5e6f7872ba9fcddd396c3feccdbfcc511d83074dc43ff

    • C:\Program Files\rtsd\rfusclient.exe

      Filesize

      1.5MB

      MD5

      f2e9b5c7de59ec84d6c066336030be1a

      SHA1

      90248d5428a8bf497a1557e1bd39c4e30d251b7f

      SHA256

      1e1ae9fdf6c9ee34d42fb2e65790bbbf4d4ef1cc9a474925f77991d323f91896

      SHA512

      48550543c7f4a4739fd70cb8da8882cfbadeea885853f174552655fca9554deab3db4480a8a021cd3ae5e6f7872ba9fcddd396c3feccdbfcc511d83074dc43ff

    • C:\Program Files\rtsd\rutserv.exe

      Filesize

      1.8MB

      MD5

      1a200526e310fc51317804a0781ff47f

      SHA1

      2f586b57dad7f40cdb822acff9ba081671716235

      SHA256

      cd80744e9965b3cc76acd0ea5062a2eca70a69f8a93a0eeea5bd4c47f53a5d96

      SHA512

      ad38c5eab8d8e642f3d19e7a2926e5dbfbb63a67c73a27b3bd31cbc27de10d3f1731ce650333b75222fb371de07849aa3d65a8c787e9408b0b628ff6d8b839ad

    • C:\Program Files\rtsd\rutserv.exe

      Filesize

      1.8MB

      MD5

      1a200526e310fc51317804a0781ff47f

      SHA1

      2f586b57dad7f40cdb822acff9ba081671716235

      SHA256

      cd80744e9965b3cc76acd0ea5062a2eca70a69f8a93a0eeea5bd4c47f53a5d96

      SHA512

      ad38c5eab8d8e642f3d19e7a2926e5dbfbb63a67c73a27b3bd31cbc27de10d3f1731ce650333b75222fb371de07849aa3d65a8c787e9408b0b628ff6d8b839ad

    • C:\Program Files\rtsd\rutserv.exe

      Filesize

      1.8MB

      MD5

      1a200526e310fc51317804a0781ff47f

      SHA1

      2f586b57dad7f40cdb822acff9ba081671716235

      SHA256

      cd80744e9965b3cc76acd0ea5062a2eca70a69f8a93a0eeea5bd4c47f53a5d96

      SHA512

      ad38c5eab8d8e642f3d19e7a2926e5dbfbb63a67c73a27b3bd31cbc27de10d3f1731ce650333b75222fb371de07849aa3d65a8c787e9408b0b628ff6d8b839ad

    • C:\Program Files\rtsd\rutserv.exe

      Filesize

      1.8MB

      MD5

      1a200526e310fc51317804a0781ff47f

      SHA1

      2f586b57dad7f40cdb822acff9ba081671716235

      SHA256

      cd80744e9965b3cc76acd0ea5062a2eca70a69f8a93a0eeea5bd4c47f53a5d96

      SHA512

      ad38c5eab8d8e642f3d19e7a2926e5dbfbb63a67c73a27b3bd31cbc27de10d3f1731ce650333b75222fb371de07849aa3d65a8c787e9408b0b628ff6d8b839ad

    • C:\Program Files\rtsd\rutserv.exe

      Filesize

      1.8MB

      MD5

      1a200526e310fc51317804a0781ff47f

      SHA1

      2f586b57dad7f40cdb822acff9ba081671716235

      SHA256

      cd80744e9965b3cc76acd0ea5062a2eca70a69f8a93a0eeea5bd4c47f53a5d96

      SHA512

      ad38c5eab8d8e642f3d19e7a2926e5dbfbb63a67c73a27b3bd31cbc27de10d3f1731ce650333b75222fb371de07849aa3d65a8c787e9408b0b628ff6d8b839ad

    • C:\Program Files\rtsd\vp8decoder.dll

      Filesize

      378KB

      MD5

      d43fa82fab5337ce20ad14650085c5d9

      SHA1

      678aa092075ff65b6815ffc2d8fdc23af8425981

      SHA256

      c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

      SHA512

      103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

    • C:\Program Files\rtsd\vp8encoder.dll

      Filesize

      1.6MB

      MD5

      dab4646806dfca6d0e0b4d80fa9209d6

      SHA1

      8244dfe22ec2090eee89dad103e6b2002059d16a

      SHA256

      cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

      SHA512

      aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

    • C:\Users\Admin\AppData\Local\Temp\Start.bat

      Filesize

      29B

      MD5

      5c2579116c93e93aa51120f9e5c7832f

      SHA1

      8716bb82b326d4c4d1d0d459591e34cebe7452bf

      SHA256

      33a1a9c8075a826cf9af1bea7bbde3bcdc359a59104556df73004d31e6e81510

      SHA512

      272943f8efe1e93761d5d063bf5c92a15dbc34621df19bb679daf18f0ece66ee2844385a9b95283ebbbafce9f5d5ba7012792393eb886b704f123a4d65c74360

    • C:\Users\Admin\AppData\Local\Temp\done.exe

      Filesize

      3.9MB

      MD5

      00d9268a9d3afca847690635acccfee1

      SHA1

      b4d2249a60a0ddfc4da75396a43b61c028509da8

      SHA256

      eeaaae1af00f3ea508729324c617fe4e07333f29edb7405adfda9aacff4bf3c8

      SHA512

      0b3e56f89fc9d87c3c28485b5023310e37c4d0bd46ba742d2b30d8595be087aae9d470a4c65512b6935e5b506576e6374ee37974363b161da2fffdc9def19096

    • C:\Users\Admin\AppData\Local\Temp\done.exe

      Filesize

      3.9MB

      MD5

      00d9268a9d3afca847690635acccfee1

      SHA1

      b4d2249a60a0ddfc4da75396a43b61c028509da8

      SHA256

      eeaaae1af00f3ea508729324c617fe4e07333f29edb7405adfda9aacff4bf3c8

      SHA512

      0b3e56f89fc9d87c3c28485b5023310e37c4d0bd46ba742d2b30d8595be087aae9d470a4c65512b6935e5b506576e6374ee37974363b161da2fffdc9def19096

    • C:\Users\Admin\AppData\Local\Temp\done.sfx.exe

      Filesize

      4.1MB

      MD5

      1a3a5f5e74c490dd51ecee0e99443006

      SHA1

      d428523078df559a41138ba14a1c2371ed85cfb2

      SHA256

      09093128167ba929e88b21458c2b019d62ea427d2c953431ed18bd36eeb58afa

      SHA512

      58931690810de79f2c2a02561393ac00354a24345751d874cb3c59a28b4a839268655ce5200177a45d4a9d5eeb0095bbded9c259d86337e06dd880ec2f3b36e7

    • C:\Users\Admin\AppData\Local\Temp\done.sfx.exe

      Filesize

      4.1MB

      MD5

      1a3a5f5e74c490dd51ecee0e99443006

      SHA1

      d428523078df559a41138ba14a1c2371ed85cfb2

      SHA256

      09093128167ba929e88b21458c2b019d62ea427d2c953431ed18bd36eeb58afa

      SHA512

      58931690810de79f2c2a02561393ac00354a24345751d874cb3c59a28b4a839268655ce5200177a45d4a9d5eeb0095bbded9c259d86337e06dd880ec2f3b36e7

    • \Program Files\rtsd\rfusclient.exe

      Filesize

      1.5MB

      MD5

      f2e9b5c7de59ec84d6c066336030be1a

      SHA1

      90248d5428a8bf497a1557e1bd39c4e30d251b7f

      SHA256

      1e1ae9fdf6c9ee34d42fb2e65790bbbf4d4ef1cc9a474925f77991d323f91896

      SHA512

      48550543c7f4a4739fd70cb8da8882cfbadeea885853f174552655fca9554deab3db4480a8a021cd3ae5e6f7872ba9fcddd396c3feccdbfcc511d83074dc43ff

    • \Program Files\rtsd\rfusclient.exe

      Filesize

      1.5MB

      MD5

      f2e9b5c7de59ec84d6c066336030be1a

      SHA1

      90248d5428a8bf497a1557e1bd39c4e30d251b7f

      SHA256

      1e1ae9fdf6c9ee34d42fb2e65790bbbf4d4ef1cc9a474925f77991d323f91896

      SHA512

      48550543c7f4a4739fd70cb8da8882cfbadeea885853f174552655fca9554deab3db4480a8a021cd3ae5e6f7872ba9fcddd396c3feccdbfcc511d83074dc43ff

    • \Program Files\rtsd\rutserv.exe

      Filesize

      1.8MB

      MD5

      1a200526e310fc51317804a0781ff47f

      SHA1

      2f586b57dad7f40cdb822acff9ba081671716235

      SHA256

      cd80744e9965b3cc76acd0ea5062a2eca70a69f8a93a0eeea5bd4c47f53a5d96

      SHA512

      ad38c5eab8d8e642f3d19e7a2926e5dbfbb63a67c73a27b3bd31cbc27de10d3f1731ce650333b75222fb371de07849aa3d65a8c787e9408b0b628ff6d8b839ad

    • \Users\Admin\AppData\Local\Temp\done.exe

      Filesize

      3.9MB

      MD5

      00d9268a9d3afca847690635acccfee1

      SHA1

      b4d2249a60a0ddfc4da75396a43b61c028509da8

      SHA256

      eeaaae1af00f3ea508729324c617fe4e07333f29edb7405adfda9aacff4bf3c8

      SHA512

      0b3e56f89fc9d87c3c28485b5023310e37c4d0bd46ba742d2b30d8595be087aae9d470a4c65512b6935e5b506576e6374ee37974363b161da2fffdc9def19096

    • \Users\Admin\AppData\Local\Temp\done.exe

      Filesize

      3.9MB

      MD5

      00d9268a9d3afca847690635acccfee1

      SHA1

      b4d2249a60a0ddfc4da75396a43b61c028509da8

      SHA256

      eeaaae1af00f3ea508729324c617fe4e07333f29edb7405adfda9aacff4bf3c8

      SHA512

      0b3e56f89fc9d87c3c28485b5023310e37c4d0bd46ba742d2b30d8595be087aae9d470a4c65512b6935e5b506576e6374ee37974363b161da2fffdc9def19096

    • \Users\Admin\AppData\Local\Temp\done.exe

      Filesize

      3.9MB

      MD5

      00d9268a9d3afca847690635acccfee1

      SHA1

      b4d2249a60a0ddfc4da75396a43b61c028509da8

      SHA256

      eeaaae1af00f3ea508729324c617fe4e07333f29edb7405adfda9aacff4bf3c8

      SHA512

      0b3e56f89fc9d87c3c28485b5023310e37c4d0bd46ba742d2b30d8595be087aae9d470a4c65512b6935e5b506576e6374ee37974363b161da2fffdc9def19096

    • \Users\Admin\AppData\Local\Temp\done.exe

      Filesize

      3.9MB

      MD5

      00d9268a9d3afca847690635acccfee1

      SHA1

      b4d2249a60a0ddfc4da75396a43b61c028509da8

      SHA256

      eeaaae1af00f3ea508729324c617fe4e07333f29edb7405adfda9aacff4bf3c8

      SHA512

      0b3e56f89fc9d87c3c28485b5023310e37c4d0bd46ba742d2b30d8595be087aae9d470a4c65512b6935e5b506576e6374ee37974363b161da2fffdc9def19096

    • \Users\Admin\AppData\Local\Temp\done.sfx.exe

      Filesize

      4.1MB

      MD5

      1a3a5f5e74c490dd51ecee0e99443006

      SHA1

      d428523078df559a41138ba14a1c2371ed85cfb2

      SHA256

      09093128167ba929e88b21458c2b019d62ea427d2c953431ed18bd36eeb58afa

      SHA512

      58931690810de79f2c2a02561393ac00354a24345751d874cb3c59a28b4a839268655ce5200177a45d4a9d5eeb0095bbded9c259d86337e06dd880ec2f3b36e7

    • memory/340-82-0x0000000000000000-mapping.dmp

    • memory/576-88-0x0000000000000000-mapping.dmp

    • memory/752-107-0x0000000000000000-mapping.dmp

    • memory/844-102-0x0000000000000000-mapping.dmp

    • memory/864-73-0x0000000000000000-mapping.dmp

    • memory/1092-74-0x0000000000000000-mapping.dmp

    • memory/1192-54-0x0000000076011000-0x0000000076013000-memory.dmp

      Filesize

      8KB

    • memory/1220-55-0x0000000000000000-mapping.dmp

    • memory/1608-70-0x0000000000000000-mapping.dmp

    • memory/1652-66-0x0000000000000000-mapping.dmp

    • memory/1692-94-0x0000000000000000-mapping.dmp

    • memory/1752-101-0x0000000000000000-mapping.dmp

    • memory/1816-75-0x0000000000000000-mapping.dmp

    • memory/1828-91-0x0000000000000000-mapping.dmp

    • memory/1864-59-0x0000000000000000-mapping.dmp

    • memory/2028-72-0x0000000000000000-mapping.dmp