Analysis
-
max time kernel
124s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 11:27
Static task
static1
Behavioral task
behavioral1
Sample
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe
Resource
win10v2004-20220901-en
General
-
Target
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe
-
Size
329KB
-
MD5
0caeb16a32c53d97d86c913bd9a19430
-
SHA1
a14d5cf6e960f33c04988ae80e5a1bc5d9b23e78
-
SHA256
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653
-
SHA512
ec7138446c4c958cd41e4b7263a044d35bb5bc6bde833409c70e3adf1c22febdbef2b64e13668cf2b364f30745f6da4955bb6004ad4f294a3e933c4a1a3c4e93
-
SSDEEP
6144:AqpxvlACym6wGGWFGDwZyoJ3fzBeM6SpktqHQI6mVk8cL3/CzYjsHh:AqjvlA06wLBHAf9eMvHwmVkhL36zYwHh
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exedescription ioc process File created C:\Windows\SysWOW64\drivers\37a5d930.sys 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1608 takeown.exe 876 icacls.exe 1168 takeown.exe 1740 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\37a5d930\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\37a5d930.sys" 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1180 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1608 takeown.exe 876 icacls.exe 1168 takeown.exe 1740 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe -
Drops file in System32 directory 4 IoCs
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exedescription ioc process File created C:\Windows\SysWOW64\wshtcpip.dll 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe File created C:\Windows\SysWOW64\midimap.dll 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe -
Modifies registry class 4 IoCs
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "eVwuDswJG.dll" 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe" 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exepid process 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exepid process 464 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe Token: SeTakeOwnershipPrivilege 1608 takeown.exe Token: SeTakeOwnershipPrivilege 1168 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.execmd.execmd.exedescription pid process target process PID 612 wrote to memory of 672 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 672 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 672 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 672 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 672 wrote to memory of 1608 672 cmd.exe takeown.exe PID 672 wrote to memory of 1608 672 cmd.exe takeown.exe PID 672 wrote to memory of 1608 672 cmd.exe takeown.exe PID 672 wrote to memory of 1608 672 cmd.exe takeown.exe PID 672 wrote to memory of 876 672 cmd.exe icacls.exe PID 672 wrote to memory of 876 672 cmd.exe icacls.exe PID 672 wrote to memory of 876 672 cmd.exe icacls.exe PID 672 wrote to memory of 876 672 cmd.exe icacls.exe PID 612 wrote to memory of 1836 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 1836 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 1836 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 1836 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 1836 wrote to memory of 1168 1836 cmd.exe takeown.exe PID 1836 wrote to memory of 1168 1836 cmd.exe takeown.exe PID 1836 wrote to memory of 1168 1836 cmd.exe takeown.exe PID 1836 wrote to memory of 1168 1836 cmd.exe takeown.exe PID 1836 wrote to memory of 1740 1836 cmd.exe icacls.exe PID 1836 wrote to memory of 1740 1836 cmd.exe icacls.exe PID 1836 wrote to memory of 1740 1836 cmd.exe icacls.exe PID 1836 wrote to memory of 1740 1836 cmd.exe icacls.exe PID 612 wrote to memory of 1180 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 1180 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 1180 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe PID 612 wrote to memory of 1180 612 9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe"C:\Users\Admin\AppData\Local\Temp\9d82d569c2258a41f2542fab5a1e1bfb1caffa2a43f4c7b6a69a8a85d0bfc653.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD588fc1253db34e2af3b89db3305e05e50
SHA1bc4519e0eec3c0814835f3528bd92cf3165508ba
SHA2569c70b9b03df7b03c3b758ff697c495db92341e907d6fae2afa22ba8a6f647752
SHA512d5e83693f8cb932cb7f63b812829544aa2d91f1e49dba8dfe063a97846ed1da7bec0bfb739e8852008bf60d1937fdbff295c07ac1508e85162a1b3e186e1e334
-
memory/612-54-0x0000000076171000-0x0000000076173000-memory.dmpFilesize
8KB
-
memory/612-55-0x0000000001000000-0x0000000001168000-memory.dmpFilesize
1.4MB
-
memory/612-56-0x00000000002A0000-0x00000000002C0000-memory.dmpFilesize
128KB
-
memory/612-57-0x0000000001000000-0x0000000001168000-memory.dmpFilesize
1.4MB
-
memory/612-58-0x00000000002A0000-0x00000000002C0000-memory.dmpFilesize
128KB
-
memory/612-66-0x0000000001000000-0x0000000001168000-memory.dmpFilesize
1.4MB
-
memory/672-59-0x0000000000000000-mapping.dmp
-
memory/876-61-0x0000000000000000-mapping.dmp
-
memory/1168-63-0x0000000000000000-mapping.dmp
-
memory/1180-65-0x0000000000000000-mapping.dmp
-
memory/1608-60-0x0000000000000000-mapping.dmp
-
memory/1740-64-0x0000000000000000-mapping.dmp
-
memory/1836-62-0x0000000000000000-mapping.dmp