Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
-
submitted
05-10-2022 23:33
General
-
Target
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
-
Size
8.9MB
-
MD5
705385c167486ac75a5063f6934c5631
-
SHA1
d08da29cca536b6b502cec7ca2f5c9cb419308e2
-
SHA256
558af040bcfa1aaf774e953cca682eaaf38ec8c4f3ca4f3e24e0ea8a783ca1df
-
SHA512
67249411406d7a6f41a97a6e40facd364fb6777c2833465aacdc6081fde3854109c9a308f5dc6f03c6fd940cc2d291be7ce9b13c6dc5a45dc810d091e98d88af
-
SSDEEP
98304:7soxgg0Y8w5AUY52JgpVOEjrZGNw9J2/8w1MlpYRO1izoaRIS9NhICGucHATgwY0:p8Aohi8Y/+y
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
maraddiego763.duckdns.org:1881
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Detected google phishing page
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs 3 IoCs
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Windows security modification 2 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 41 IoCs
-
Suspicious use of SendNotifyMessage 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe"C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 22882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5068 -ip 50681⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dadmon%2Bgob%26form%3DWNSGPH%26qs%3DAS%26cvid%3D889ad7d7cb8e4f878772cac3d5ddc0d0%26pq%3DADMON%26cc%3DES%26setlang%3Des-ES%26nclid%3D03E26D907E30E8998728BC8DB27F263E%26ts%3D1665020088004%26nclidts%3D1665020088%26tsms%3D0041⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaed546f8,0x7fffaed54708,0x7fffaed547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=5288 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=audio --mojo-platform-channel-handle=5440 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=3984 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff61f075460,0x7ff61f075470,0x7ff61f0754803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5974b547b9c47178dc159643052902fb2
SHA1eb5ecd8b69670078c5913788a474baa4faec0677
SHA25622c310f931ed2b5bac6074ed0952bec99d509e06f82cfd61e4e392d62c0a8af7
SHA512b54175cd8bedc288b3cc26c7c8f450f9355f53a8453ff9a9934f8c120473004c803a5fef5c41baeafe97b487ffa0bc4f23a931b39370a6652fc342d71fa7d34d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f647b50690df702d7a7e4cd6974f2581
SHA19324c7c29804e7305bdb72c9e673d909fe976e5a
SHA2561a3219f130da2b5f13c9d470f99a6682cbf8155e62ad21cd7eafe7d0b16a72a2
SHA51201c5545adc2177bd5607d86fa9b4fdded9e9bb58c9395b94a99e88f6228d8bf025af132e52b75585e93d476d7cb075cc5ecb83675c1bed9361d29a3e1e1320fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5de95639651c7fbfc9af1fa26162e42cf
SHA1f13217d915626621329f8d12308e2d974394b0dc
SHA2567e78d7a383f3a2abf059ad29d77f8c62e732125408a61a5516b39c4251d65181
SHA51266c3f6cdc72c0adde58634cb2f0b16d168a7f9ffebf964bb3d078a156b0f991319a3af6a35e2fa38b7b6ba50ca6f25a41a7b53a8902e06a7ffecdbe48cf0b5fd
-
\??\pipe\LOCAL\crashpad_2052_HRQRJZUUXEKVVZGUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1056-169-0x0000000000000000-mapping.dmp
-
memory/1480-179-0x0000000000000000-mapping.dmp
-
memory/1764-185-0x0000000000000000-mapping.dmp
-
memory/1768-181-0x0000000000000000-mapping.dmp
-
memory/2520-187-0x0000000000000000-mapping.dmp
-
memory/2560-144-0x00000000060B0000-0x0000000006116000-memory.dmpFilesize
408KB
-
memory/2560-152-0x000000006F420000-0x000000006F46C000-memory.dmpFilesize
304KB
-
memory/2560-158-0x0000000007B50000-0x0000000007B6A000-memory.dmpFilesize
104KB
-
memory/2560-141-0x00000000055E0000-0x0000000005662000-memory.dmpFilesize
520KB
-
memory/2560-140-0x00000000057E0000-0x0000000005E08000-memory.dmpFilesize
6.2MB
-
memory/2560-159-0x0000000007BC0000-0x0000000007BCA000-memory.dmpFilesize
40KB
-
memory/2560-138-0x0000000005090000-0x00000000050C6000-memory.dmpFilesize
216KB
-
memory/2560-135-0x0000000000000000-mapping.dmp
-
memory/2560-155-0x0000000006DF0000-0x0000000006E0E000-memory.dmpFilesize
120KB
-
memory/2560-143-0x0000000005F10000-0x0000000005F76000-memory.dmpFilesize
408KB
-
memory/2968-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2968-149-0x0000000000000000-mapping.dmp
-
memory/3248-183-0x0000000000000000-mapping.dmp
-
memory/3508-162-0x00000000076E0000-0x00000000076EE000-memory.dmpFilesize
56KB
-
memory/3508-156-0x000000006F420000-0x000000006F46C000-memory.dmpFilesize
304KB
-
memory/3508-139-0x0000000000000000-mapping.dmp
-
memory/3640-145-0x0000000006180000-0x0000000006190000-memory.dmpFilesize
64KB
-
memory/3640-136-0x0000000000000000-mapping.dmp
-
memory/3640-160-0x0000000007ED0000-0x0000000007F1A000-memory.dmpFilesize
296KB
-
memory/3640-157-0x00000000082F0000-0x000000000896A000-memory.dmpFilesize
6.5MB
-
memory/3640-151-0x0000000007B80000-0x0000000007BB2000-memory.dmpFilesize
200KB
-
memory/3640-163-0x0000000007FA0000-0x0000000007FBA000-memory.dmpFilesize
104KB
-
memory/3640-142-0x0000000005EF0000-0x0000000005F12000-memory.dmpFilesize
136KB
-
memory/3640-154-0x000000006F420000-0x000000006F46C000-memory.dmpFilesize
304KB
-
memory/3640-146-0x0000000006850000-0x0000000006952000-memory.dmpFilesize
1.0MB
-
memory/3640-147-0x0000000006980000-0x000000000699E000-memory.dmpFilesize
120KB
-
memory/3708-137-0x0000000000000000-mapping.dmp
-
memory/3708-153-0x000000006F420000-0x000000006F46C000-memory.dmpFilesize
304KB
-
memory/3708-161-0x0000000007470000-0x0000000007506000-memory.dmpFilesize
600KB
-
memory/3708-164-0x0000000007430000-0x0000000007438000-memory.dmpFilesize
32KB
-
memory/4160-175-0x0000000000000000-mapping.dmp
-
memory/4364-171-0x0000000000000000-mapping.dmp
-
memory/4412-172-0x0000000000000000-mapping.dmp
-
memory/4744-177-0x0000000000000000-mapping.dmp
-
memory/5068-132-0x0000000000620000-0x0000000000F06000-memory.dmpFilesize
8.9MB
-
memory/5068-148-0x0000000006AF0000-0x0000000006B30000-memory.dmpFilesize
256KB
-
memory/5068-134-0x0000000005ED0000-0x0000000006474000-memory.dmpFilesize
5.6MB
-
memory/5068-133-0x000000001A350000-0x000000001A3EC000-memory.dmpFilesize
624KB
-
memory/5232-189-0x0000000000000000-mapping.dmp
-
memory/5284-191-0x0000000000000000-mapping.dmp
-
memory/5300-193-0x0000000000000000-mapping.dmp
-
memory/5512-194-0x0000000000000000-mapping.dmp
-
memory/5532-195-0x0000000000000000-mapping.dmp
-
memory/5724-196-0x0000000000000000-mapping.dmp