Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
24-11-2022 12:11
General
-
Target
c650d3c4996f85b5149f5160fc48855e91184b9906ca5436c7db1daf6bd5649e.exe
-
Size
4.2MB
-
MD5
e3840926ecd0a127933545a34308e154
-
SHA1
5a92233eef65c27de9920b0b448de6ac6983778d
-
SHA256
c650d3c4996f85b5149f5160fc48855e91184b9906ca5436c7db1daf6bd5649e
-
SHA512
9b3bb3306c56ca490601f78445dcd8dbf6437f42bab67cc93d6baa6e81e33fddbd4da6f5e26aaf60f43d40a83aa9a700521f35e09504a82db90fd78ffefa3a2e
-
SSDEEP
98304:RpZb+Ma7ksZGweOjnvbE7WSW1xTAvpB+VK5/FoUS96:Bb+CurBjjE7WSWe+VKvpS96
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 7 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c650d3c4996f85b5149f5160fc48855e91184b9906ca5436c7db1daf6bd5649e.exe"C:\Users\Admin\AppData\Local\Temp\c650d3c4996f85b5149f5160fc48855e91184b9906ca5436c7db1daf6bd5649e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exes\io.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\exes\setup.bat" "3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq wget.exe" /NH4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /i "wget.exe"4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /v FUSClientPath /t REG_SZ /d "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe" /f4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\*.*"4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8decoder.dll"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8encoder.dll"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exe"rutserv.exe" /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exe"rutserv.exe" /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v DisplayName /t REG_SZ /d "Microsoft Corporation" /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v Description /t REG_SZ /d "Microsoft Windows" /f4⤵
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exerutserv.exe /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeC:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeC:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeC:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeC:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe /tray2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\exes\bat.batFilesize
178B
MD5b8dda233f9810dc7da01ab6bb0a7d34d
SHA1749d2f14ab86fdcd23ddbaad99c9b974c4ae6dd4
SHA2563f35efb7d0ed5d56700451431d4d3626ef1cebf7289dbf75cda7123f53e91746
SHA5126b47cee19f74a4f90d326cb88a27ab5bcf2f8e90c46490bcd23cd24f7aeb50649f8344a21d1da93c24b6af334fdf3a5fc45143ce137469edac84bead8bf5a95c
-
C:\Users\Admin\AppData\Local\Temp\exes\bat.vbsFilesize
113B
MD59a9ec59df719a15b2cadb19ecce9adfd
SHA1172b551d1d04c93c8bb52ead5a88b084e3c8f469
SHA2569413f4a4084d653e2acd3ea80282a261d8356f2605ae7a502ef364c54d4ab2d8
SHA5121f1f678802ad5d5b86824ae789d8ebc64abc8d84686118051f73cfb0f3c6ff41ef19478f4073040d864fc697fe047bf7cd715632eb9b1b1f4d6e4e5799907b20
-
C:\Users\Admin\AppData\Local\Temp\exes\de.exeFilesize
98KB
MD53234ca7ffaab06077240020bb183659f
SHA19614bb744a82156f461e4b685c0fe570b4776599
SHA256507af2772c7740f66fd15211f260f7f1989e433b31367587812fce3f67679c51
SHA5120878b6ef55b11ba632a544e01af4836b00d0b0e4eca7033549d9ac2ad2132a7cab275a4027f8f994fc5e0b99918a657faf2d7914c85d8530742f62d7b3ee06c9
-
C:\Users\Admin\AppData\Local\Temp\exes\io.vbsFilesize
115B
MD51314d834dc9a58668956252e40c8af4d
SHA15d5062e6b06aad2c1f1e51e18e0e293dba1e1a66
SHA256fad0bbb55f7591b441b351fb693b128f2e384685bf576201d942c10e0047df4f
SHA51273e636d95414bec0c987ffbe431d16e95c8d95c72d9504880b4e9cdd1a1064bc6afc43974e281bd2c852fa0cc883d131ca5cb27ee3d4966b4c5b09343c52dcc9
-
C:\Users\Admin\AppData\Local\Temp\exes\regedit.regFilesize
24KB
MD5aec8ba25f3bc3ef45c0d8c28b689c2d3
SHA11c2b434b724236b8e9118b234e622a541aeb7554
SHA256b9178c0e6b2bbd19ad15ffb7d120d8818bf27a35a2e6ebf343959f833d495f85
SHA512e1f19ebfcf05d7e94b10e66acea72a1dab5204c69390fc0443ed159103fbc059f8cd8032f303c3af75dd2e5eebae614ce69bc7fc5b30158dbf6f122e38189023
-
C:\Users\Admin\AppData\Local\Temp\exes\rfusclient.exeFilesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
C:\Users\Admin\AppData\Local\Temp\exes\russian.lgFilesize
48KB
MD59558b5bc81eb3d87ca356676cd22a09a
SHA11851e3eed3aff625cf9336694d6374ce24ad5814
SHA256ef247557be6f34aa3ec855e0d0a0367ae0660ff3104791e345363904428de7e8
SHA5124f034167680f90cb166ad73a52fca40e863f63fe056917bb0603132bbeccc592ddb4a9c7f7a10dd022ec5b326bd24f68b9ebbcbc02879b6419fcdfb6903be434
-
C:\Users\Admin\AppData\Local\Temp\exes\rutserv.exeFilesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
C:\Users\Admin\AppData\Local\Temp\exes\setup.batFilesize
14KB
MD5db67fd8b8c3204ac5ac8dfd4fdf7bb4b
SHA198e2b85bc9c16cf3f1f522d724b12f8b0d8aa03b
SHA256e7053729708353f327cefdefc92b2fb3dae9c595b56427f9f80f2ad4c432aad3
SHA512e3386bd35570bc0e667b0209836c517d028f03208407c414d6a3e47a415ac71b48dd7b22c926d0f775dde46c9106f55bc1a13aa540effca3c667710ff0af5d75
-
C:\Users\Admin\AppData\Local\Temp\exes\vp8decoder.dllFilesize
151KB
MD5565f817a855a681f0b386c9fe970f764
SHA1da0645c4dd38bfc6415c4e083b505715b8b2bc75
SHA2567be9bbf87492a63833f6f2665e461d4e097e3326dec3e7984ecca8a916939843
SHA5120e851284a2c2ea1db7adeaf108cee42472018ff85e8ff28954643f417ff8b61d6d30944112678d47f65b952dbc69c097d3faf54e60b84a51eb92f07efde84f8d
-
C:\Users\Admin\AppData\Local\Temp\exes\vp8encoder.dllFilesize
257KB
MD5fd0c05de8c367b6f843c96f014f0d9d7
SHA168e6b3d8c3b906b74618c6f17c52b5ad19ab857b
SHA256a1507cb1240e89bf4f3468f462a5befab762edac1540b0d5f4839c46b137859b
SHA51212ace11d440f5fad425781f29bd94a12025718764670f0b56d49f8337cd09f43fa0a5d9579d65dcacd47f0dea3a3053b52af795c83972ae1bcc24e5a1cdce13f
-
C:\Users\Admin\AppData\Local\Temp\exes\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeFilesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeFilesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeFilesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeFilesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeFilesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeFilesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeFilesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeFilesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeFilesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeFilesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeFilesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
memory/112-102-0x0000000000000000-mapping.dmp
-
memory/368-90-0x0000000000000000-mapping.dmp
-
memory/572-61-0x0000000000000000-mapping.dmp
-
memory/608-97-0x0000000000000000-mapping.dmp
-
memory/680-63-0x0000000000000000-mapping.dmp
-
memory/952-69-0x0000000000000000-mapping.dmp
-
memory/1020-105-0x0000000000000000-mapping.dmp
-
memory/1128-55-0x0000000000000000-mapping.dmp
-
memory/1148-88-0x0000000000000000-mapping.dmp
-
memory/1168-117-0x0000000000000000-mapping.dmp
-
memory/1212-111-0x0000000000000000-mapping.dmp
-
memory/1244-59-0x0000000000000000-mapping.dmp
-
memory/1320-81-0x0000000000000000-mapping.dmp
-
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmpFilesize
8KB
-
memory/1468-112-0x0000000000000000-mapping.dmp
-
memory/1476-84-0x0000000000000000-mapping.dmp
-
memory/1556-86-0x0000000000000000-mapping.dmp
-
memory/1580-100-0x0000000000000000-mapping.dmp
-
memory/1636-122-0x0000000000000000-mapping.dmp
-
memory/1684-73-0x0000000000000000-mapping.dmp
-
memory/1868-71-0x0000000000000000-mapping.dmp
-
memory/1920-67-0x0000000000000000-mapping.dmp
-
memory/1948-65-0x0000000000000000-mapping.dmp
-
memory/1980-93-0x0000000000000000-mapping.dmp