Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-06-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
svchOst.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
svchOst.exe
Resource
win10v2004-20220414-en
General
-
Target
svchOst.exe
-
Size
178KB
-
MD5
b21a2b18631fc2d5493eb53807075380
-
SHA1
1c1c7cf048ae795cf6f29351c719772f4c1fb425
-
SHA256
e49fd2651d5f3d5ffd999104841edd3e6e6dbd342507df6d2201720bdca65a74
-
SHA512
ca8d5141db157d5691998dd99b7bba882e227c2cf03c99aba71587644ca749a40fcf7f27cfe555253dad61921d7e3a27c3562119b0fc7913c129a04a043ad660
Malware Config
Extracted
C:\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt
filedecryptionsupport@msgsafe.io
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchOst.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResumeDeny.raw => C:\Users\Admin\Pictures\ResumeDeny.raw.i_mod_hacked svchOst.exe File renamed C:\Users\Admin\Pictures\WaitDebug.crw => C:\Users\Admin\Pictures\WaitDebug.crw.i_mod_hacked svchOst.exe File renamed C:\Users\Admin\Pictures\CompleteEnable.raw => C:\Users\Admin\Pictures\CompleteEnable.raw.i_mod_hacked svchOst.exe File opened for modification C:\Users\Admin\Pictures\ExpandReset.tiff svchOst.exe File renamed C:\Users\Admin\Pictures\ExpandReset.tiff => C:\Users\Admin\Pictures\ExpandReset.tiff.i_mod_hacked svchOst.exe File renamed C:\Users\Admin\Pictures\MeasureRedo.raw => C:\Users\Admin\Pictures\MeasureRedo.raw.i_mod_hacked svchOst.exe -
Drops startup file 1 IoCs
Processes:
svchOst.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
Processes:
svchOst.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Music\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchOst.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchOst.exe File opened for modification C:\Program Files (x86)\desktop.ini svchOst.exe File opened for modification C:\Users\Public\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchOst.exe File opened for modification C:\Program Files\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchOst.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI svchOst.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchOst.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Office16\Library\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms svchOst.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\manifest.json svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin svchOst.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc svchOst.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js svchOst.exe File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files (x86)\Common Files\System\ado\fr-FR\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms svchOst.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N1.svg svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak svchOst.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ca.pak svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_2x.png svchOst.exe File created C:\Program Files\Mozilla Firefox\uninstall\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files\VideoLAN\VLC\locale\am\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms svchOst.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar svchOst.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\icudtl.dat.DATA svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview.png svchOst.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\LICENSE svchOst.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms svchOst.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms svchOst.exe File opened for modification C:\Program Files (x86)\Windows Defender svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js svchOst.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml svchOst.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini svchOst.exe File created C:\Program Files\Common Files\System\ado\ja-JP\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files\VideoLAN\VLC\locale\az\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl svchOst.exe File created C:\Program Files (x86)\Common Files\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms svchOst.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml svchOst.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html svchOst.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png svchOst.exe File created C:\Program Files\VideoLAN\VLC\locale\de\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\bun.png svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms svchOst.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash@2x.gif svchOst.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM svchOst.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js svchOst.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchOst.exepid process 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe 788 svchOst.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4292 vssvc.exe Token: SeRestorePrivilege 4292 vssvc.exe Token: SeAuditPrivilege 4292 vssvc.exe Token: SeIncreaseQuotaPrivilege 2200 WMIC.exe Token: SeSecurityPrivilege 2200 WMIC.exe Token: SeTakeOwnershipPrivilege 2200 WMIC.exe Token: SeLoadDriverPrivilege 2200 WMIC.exe Token: SeSystemProfilePrivilege 2200 WMIC.exe Token: SeSystemtimePrivilege 2200 WMIC.exe Token: SeProfSingleProcessPrivilege 2200 WMIC.exe Token: SeIncBasePriorityPrivilege 2200 WMIC.exe Token: SeCreatePagefilePrivilege 2200 WMIC.exe Token: SeBackupPrivilege 2200 WMIC.exe Token: SeRestorePrivilege 2200 WMIC.exe Token: SeShutdownPrivilege 2200 WMIC.exe Token: SeDebugPrivilege 2200 WMIC.exe Token: SeSystemEnvironmentPrivilege 2200 WMIC.exe Token: SeRemoteShutdownPrivilege 2200 WMIC.exe Token: SeUndockPrivilege 2200 WMIC.exe Token: SeManageVolumePrivilege 2200 WMIC.exe Token: 33 2200 WMIC.exe Token: 34 2200 WMIC.exe Token: 35 2200 WMIC.exe Token: 36 2200 WMIC.exe Token: SeIncreaseQuotaPrivilege 2200 WMIC.exe Token: SeSecurityPrivilege 2200 WMIC.exe Token: SeTakeOwnershipPrivilege 2200 WMIC.exe Token: SeLoadDriverPrivilege 2200 WMIC.exe Token: SeSystemProfilePrivilege 2200 WMIC.exe Token: SeSystemtimePrivilege 2200 WMIC.exe Token: SeProfSingleProcessPrivilege 2200 WMIC.exe Token: SeIncBasePriorityPrivilege 2200 WMIC.exe Token: SeCreatePagefilePrivilege 2200 WMIC.exe Token: SeBackupPrivilege 2200 WMIC.exe Token: SeRestorePrivilege 2200 WMIC.exe Token: SeShutdownPrivilege 2200 WMIC.exe Token: SeDebugPrivilege 2200 WMIC.exe Token: SeSystemEnvironmentPrivilege 2200 WMIC.exe Token: SeRemoteShutdownPrivilege 2200 WMIC.exe Token: SeUndockPrivilege 2200 WMIC.exe Token: SeManageVolumePrivilege 2200 WMIC.exe Token: 33 2200 WMIC.exe Token: 34 2200 WMIC.exe Token: 35 2200 WMIC.exe Token: 36 2200 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
svchOst.execmd.exedescription pid process target process PID 788 wrote to memory of 1760 788 svchOst.exe cmd.exe PID 788 wrote to memory of 1760 788 svchOst.exe cmd.exe PID 1760 wrote to memory of 2200 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 2200 1760 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchOst.exe"C:\Users\Admin\AppData\Local\Temp\svchOst.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AD057C6-01E7-41BE-8363-DFAD0D4032B1}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AD057C6-01E7-41BE-8363-DFAD0D4032B1}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txtFilesize
2KB
MD53949600f0366c164183a14a99429e10d
SHA12d99d7027b87e990d710b146ed70d8520a78f39c
SHA256e1e9a7ebc9575cf6e0f61dda50e0d2f5b7ba851a8f9c05e491e731b0a53aea46
SHA512dc36c0e386ff0c07a2851efa2677db6b6e6ec231d9b6613495ad423cf18dc0c5c21daa2378eeaf0718755964486e8fc268e8fb721be74a24a1d5eadae72ddde2
-
memory/1760-130-0x0000000000000000-mapping.dmp
-
memory/2200-131-0x0000000000000000-mapping.dmp