Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
12-11-2022 10:29
General
-
Target
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
-
Size
411KB
-
MD5
31b407850c3c20bed39117100dbcc552
-
SHA1
735a4acaf958402497b9e1b14ab3cb539e58889b
-
SHA256
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085
-
SHA512
40814a29407c8a1ebfac7774b7c8d3bac20702467b8d7dbab6a788a1eb6547cfcdb23cafe18d7a5c59466124ac6ccaa53283d521fac9982304f816e451f10b4f
-
SSDEEP
6144:KFT2dcBdnKqcGmkKPEoqHsyXdmxl6rOEyli/YVelQF3xIcE4IvFOs8j6EWackv5K:KAEx4EoqHsQdmxl6zbr+F3KUfaMuwc
Score
10/10
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Modifies boot configuration data using bcdedit 2 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Disables taskbar notifications via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 3 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
-
Modifies file permissions 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies File Icons 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies Internet Explorer start page 1 TTPs 3 IoCs
-
Modifies Shortcut Icons 1 IoCs
Modifies/removes arrow indicator from shortcut icons.
-
Modifies data under HKEY_USERS 6 IoCs
-
Modifies registry class 64 IoCs
-
Runs .reg file with regedit 3 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"1⤵
- Adds policy Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows"\web\yh_8.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chkntfs.exeC:\Windows\system32\chkntfs /t:23⤵
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 63⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\powercfg.exepowercfg -h off3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy legacy3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WerSvc start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config W32Time start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet stop RemoteRegistry3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RemoteRegistry4⤵
-
C:\Windows\system32\net.exenet stop WerSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WerSvc4⤵
-
C:\Windows\system32\net.exenet stop W32Time3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W32Time4⤵
-
C:\Windows\system32\sc.exesc stop WdiSystemHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WdiServiceHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop DPS3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config DPS start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\regedit.exeREGEDIT /S c:\setup\yh_8.reg3⤵
- Runs .reg file with regedit
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /d 1 /t REG_DWORD /f3⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force3⤵
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\yh_8.REG"2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Registers COM server for autorun
- Allows Network login with blank passwords
- Adds Run key to start application
- Modifies File Icons
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies Shortcut Icons
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs .reg file with regedit
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\zjzl.reg"2⤵
- Runs .reg file with regedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\Tencent\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\Tencent\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\Tencent\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Tencent\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /u /s igfxpph.dll3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping -n 3 127.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"2⤵
-
C:\Windows\system32\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Hidden Files and Directories
4Registry Run Keys / Startup Folder
3Modify Existing Service
2Defense Evasion
Modify Registry
11Hidden Files and Directories
4Bypass User Account Control
1Disabling Security Tools
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD506697bf2f4f5395a9af659f50df00e3b
SHA101925ffbeed3e54e134e1fafaef8ff640dda9107
SHA2568868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1
SHA5129c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD5b141c6974c48fadca812a060e03f8200
SHA1bfc010eeda61bd2bd6d3b7963570cbc7d7539037
SHA25668a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e
SHA512353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
79B
MD52c545704057f619fa7fb3f994862f181
SHA1b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd
SHA2560a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0
SHA5125875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84
-
C:\Windows\Web\yh_8.REGFilesize
50KB
MD503adc949c5bc4ac78de28ce1a5d5ada3
SHA1371c497dc8b78fe472d1de552e2962ab112abea8
SHA2569cdff068d11e463a5ce25d761a2c6459b231109ae99c94e6ad8707c065d953ae
SHA512698ca9319b006228235dd7179d258ebdfcce2aaffeb2c07fa83308138570df0e948a97c98e663ea84dc542a21f7faf24b1a692dbce36e65fae8814e876108a89
-
C:\Windows\web\yh_8.cmdFilesize
1KB
MD52cc1b20685beaa8050e9e2bc4ef5b1e6
SHA1e225da2c7e04480d991a6d9eaf0179bc22700a97
SHA256d61ae817aa4dd829984bbbbef9031ff08c9a726dc8038857a3ea2524b5b30d51
SHA512138b12358226d61d3736bd49ff80723ec86eeac386383b9cf0b68545072db7516309a2c7df5a0e966028cb25a701d66ccd068cfabb815e1dbe8d73ccc5c0259c
-
memory/220-154-0x0000000000000000-mapping.dmp
-
memory/228-155-0x0000000000000000-mapping.dmp
-
memory/736-193-0x0000000000000000-mapping.dmp
-
memory/1088-177-0x0000000000000000-mapping.dmp
-
memory/1196-199-0x0000000000000000-mapping.dmp
-
memory/1204-153-0x0000000000000000-mapping.dmp
-
memory/1240-159-0x0000000000000000-mapping.dmp
-
memory/1440-163-0x0000000000000000-mapping.dmp
-
memory/1444-168-0x00007FF76E660000-0x00007FF76E75A000-memory.dmpFilesize
1000KB
-
memory/1444-203-0x00007FF76E660000-0x00007FF76E75A000-memory.dmpFilesize
1000KB
-
memory/1444-136-0x00007FF76E660000-0x00007FF76E75A000-memory.dmpFilesize
1000KB
-
memory/1528-172-0x0000000000000000-mapping.dmp
-
memory/1664-169-0x0000000000000000-mapping.dmp
-
memory/1804-195-0x0000000000000000-mapping.dmp
-
memory/1848-149-0x0000000000000000-mapping.dmp
-
memory/1860-148-0x0000000000000000-mapping.dmp
-
memory/1960-134-0x0000000000000000-mapping.dmp
-
memory/1964-175-0x0000000000000000-mapping.dmp
-
memory/1996-200-0x0000000000000000-mapping.dmp
-
memory/2008-167-0x0000000000000000-mapping.dmp
-
memory/2084-187-0x0000000000000000-mapping.dmp
-
memory/2172-147-0x0000000000000000-mapping.dmp
-
memory/2264-137-0x0000000000000000-mapping.dmp
-
memory/2340-180-0x0000000000000000-mapping.dmp
-
memory/2584-181-0x0000000000000000-mapping.dmp
-
memory/2632-138-0x0000000000000000-mapping.dmp
-
memory/2680-152-0x0000000000000000-mapping.dmp
-
memory/2732-160-0x0000000000000000-mapping.dmp
-
memory/3084-132-0x0000000000000000-mapping.dmp
-
memory/3172-166-0x0000000000000000-mapping.dmp
-
memory/3180-165-0x0000000000000000-mapping.dmp
-
memory/3204-194-0x0000000000000000-mapping.dmp
-
memory/3216-182-0x0000000000000000-mapping.dmp
-
memory/3376-179-0x0000000000000000-mapping.dmp
-
memory/3384-162-0x0000000000000000-mapping.dmp
-
memory/3476-185-0x0000000000000000-mapping.dmp
-
memory/3532-164-0x0000000000000000-mapping.dmp
-
memory/3536-189-0x0000000000000000-mapping.dmp
-
memory/3632-171-0x0000000000000000-mapping.dmp
-
memory/3672-190-0x0000000000000000-mapping.dmp
-
memory/3672-135-0x0000000000000000-mapping.dmp
-
memory/3804-161-0x0000000000000000-mapping.dmp
-
memory/3872-174-0x0000000000000000-mapping.dmp
-
memory/3948-186-0x0000000000000000-mapping.dmp
-
memory/4088-145-0x0000000000000000-mapping.dmp
-
memory/4092-173-0x0000000000000000-mapping.dmp
-
memory/4184-144-0x0000000000000000-mapping.dmp
-
memory/4212-151-0x0000000000000000-mapping.dmp
-
memory/4288-178-0x0000000000000000-mapping.dmp
-
memory/4388-150-0x0000000000000000-mapping.dmp
-
memory/4388-196-0x0000000000000000-mapping.dmp
-
memory/4500-140-0x0000000000000000-mapping.dmp
-
memory/4580-133-0x0000000000000000-mapping.dmp
-
memory/4620-146-0x0000000000000000-mapping.dmp
-
memory/4684-183-0x0000000000000000-mapping.dmp
-
memory/4736-176-0x0000000000000000-mapping.dmp
-
memory/4768-143-0x0000000000000000-mapping.dmp
-
memory/4800-142-0x0000000000000000-mapping.dmp
-
memory/4840-141-0x0000000000000000-mapping.dmp
-
memory/4864-192-0x0000000000000000-mapping.dmp
-
memory/4880-191-0x0000000000000000-mapping.dmp
-
memory/4924-157-0x0000000000000000-mapping.dmp
-
memory/4956-156-0x0000000000000000-mapping.dmp
-
memory/5000-198-0x0000000000000000-mapping.dmp
-
memory/5036-158-0x0000000000000000-mapping.dmp
-
memory/5052-184-0x0000000000000000-mapping.dmp
-
memory/5072-188-0x0000000000000000-mapping.dmp