Analysis
-
max time kernel
114s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 06:45
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
575KB
-
MD5
5d45385a407a405aea656472583734a3
-
SHA1
9cec6de7663715f7100893353d7ab707ade6f943
-
SHA256
dde4ae84602bcca68bf6f0083019a27aa8768876d149a96cca059652d5c99151
-
SHA512
2bf5288c4064ea415e6c0ea62d6cd30b3c3266b5ae3d3aee70bfd1236299d9ba4097e9de46c3ea16fa64f69ddc6e4eda5676ec528f0898c7ed5c3ee855201116
-
SSDEEP
12288:bMroy904a9uDgfxTGQRLxFdZWdDxDaTYiH7ED:fys9uDg0+TdqDeYiH74
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
Processes:
nika.exeaLBf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aLBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aLBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aLBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aLBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aLBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aLBf.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mnolyk.exexriv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation mnolyk.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation xriv.exe -
Executes dropped EXE 7 IoCs
Processes:
zhiga.exeaLBf.exenika.exexriv.exemnolyk.exemnolyk.exemnolyk.exepid process 4260 zhiga.exe 4180 aLBf.exe 3572 nika.exe 3808 xriv.exe 2952 mnolyk.exe 2676 mnolyk.exe 1980 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1960 rundll32.exe -
Processes:
aLBf.exenika.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aLBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aLBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
file.exezhiga.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zhiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zhiga.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3904 4180 WerFault.exe aLBf.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aLBf.exenika.exepid process 4180 aLBf.exe 4180 aLBf.exe 3572 nika.exe 3572 nika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aLBf.exenika.exedescription pid process Token: SeDebugPrivilege 4180 aLBf.exe Token: SeDebugPrivilege 3572 nika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
file.exezhiga.exexriv.exemnolyk.execmd.exedescription pid process target process PID 1816 wrote to memory of 4260 1816 file.exe zhiga.exe PID 1816 wrote to memory of 4260 1816 file.exe zhiga.exe PID 1816 wrote to memory of 4260 1816 file.exe zhiga.exe PID 4260 wrote to memory of 4180 4260 zhiga.exe aLBf.exe PID 4260 wrote to memory of 4180 4260 zhiga.exe aLBf.exe PID 4260 wrote to memory of 4180 4260 zhiga.exe aLBf.exe PID 4260 wrote to memory of 3572 4260 zhiga.exe nika.exe PID 4260 wrote to memory of 3572 4260 zhiga.exe nika.exe PID 1816 wrote to memory of 3808 1816 file.exe xriv.exe PID 1816 wrote to memory of 3808 1816 file.exe xriv.exe PID 1816 wrote to memory of 3808 1816 file.exe xriv.exe PID 3808 wrote to memory of 2952 3808 xriv.exe mnolyk.exe PID 3808 wrote to memory of 2952 3808 xriv.exe mnolyk.exe PID 3808 wrote to memory of 2952 3808 xriv.exe mnolyk.exe PID 2952 wrote to memory of 5056 2952 mnolyk.exe schtasks.exe PID 2952 wrote to memory of 5056 2952 mnolyk.exe schtasks.exe PID 2952 wrote to memory of 5056 2952 mnolyk.exe schtasks.exe PID 2952 wrote to memory of 4464 2952 mnolyk.exe cmd.exe PID 2952 wrote to memory of 4464 2952 mnolyk.exe cmd.exe PID 2952 wrote to memory of 4464 2952 mnolyk.exe cmd.exe PID 4464 wrote to memory of 3404 4464 cmd.exe cmd.exe PID 4464 wrote to memory of 3404 4464 cmd.exe cmd.exe PID 4464 wrote to memory of 3404 4464 cmd.exe cmd.exe PID 4464 wrote to memory of 3736 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 3736 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 3736 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 2464 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 2464 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 2464 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 1080 4464 cmd.exe cmd.exe PID 4464 wrote to memory of 1080 4464 cmd.exe cmd.exe PID 4464 wrote to memory of 1080 4464 cmd.exe cmd.exe PID 4464 wrote to memory of 3292 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 3292 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 3292 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 3268 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 3268 4464 cmd.exe cacls.exe PID 4464 wrote to memory of 3268 4464 cmd.exe cacls.exe PID 2952 wrote to memory of 1960 2952 mnolyk.exe rundll32.exe PID 2952 wrote to memory of 1960 2952 mnolyk.exe rundll32.exe PID 2952 wrote to memory of 1960 2952 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zhiga.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zhiga.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aLBf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aLBf.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4180 -ip 41801⤵
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zhiga.exeFilesize
387KB
MD5f8aa657c7b3a8fa1243ffb6e71c2635e
SHA1a5d550ccf176f2fe974608be2ed810bbaeaf78c8
SHA256d26445bd778b7cc9e0694f4d9478528ef4c7eaea8645dbf105c9e42bc1a1b0ae
SHA512ce5723269d725e0ac36a34cf57f4ca6f5c4f5e4bfd5035a8e7cf7e7c27448d59b402942783d9a00087aa0603d7f7204e1615036fa1f430249dd2c91eb4ef7fa0
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zhiga.exeFilesize
387KB
MD5f8aa657c7b3a8fa1243ffb6e71c2635e
SHA1a5d550ccf176f2fe974608be2ed810bbaeaf78c8
SHA256d26445bd778b7cc9e0694f4d9478528ef4c7eaea8645dbf105c9e42bc1a1b0ae
SHA512ce5723269d725e0ac36a34cf57f4ca6f5c4f5e4bfd5035a8e7cf7e7c27448d59b402942783d9a00087aa0603d7f7204e1615036fa1f430249dd2c91eb4ef7fa0
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aLBf.exeFilesize
347KB
MD5131ce68519e1b305d633979a90965ad8
SHA1e69f4c3017310e2c0be62fe6090231c9bb96a0e6
SHA2560560deaf983f919b96cebb0fe17c28118b4b52b3d142664dddff068e03a59273
SHA5121b646cd898d7cb59aedf518b8516ac0fac611850e0f50f3ad35be5ca9ecaf3ed4c5755b473b7cefedd98c76c1b94b791e0860f10499aec929d9ca90324bc844c
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aLBf.exeFilesize
347KB
MD5131ce68519e1b305d633979a90965ad8
SHA1e69f4c3017310e2c0be62fe6090231c9bb96a0e6
SHA2560560deaf983f919b96cebb0fe17c28118b4b52b3d142664dddff068e03a59273
SHA5121b646cd898d7cb59aedf518b8516ac0fac611850e0f50f3ad35be5ca9ecaf3ed4c5755b473b7cefedd98c76c1b94b791e0860f10499aec929d9ca90324bc844c
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
memory/1080-161-0x0000000000000000-mapping.dmp
-
memory/1960-165-0x0000000000000000-mapping.dmp
-
memory/2464-160-0x0000000000000000-mapping.dmp
-
memory/2952-153-0x0000000000000000-mapping.dmp
-
memory/3268-163-0x0000000000000000-mapping.dmp
-
memory/3292-162-0x0000000000000000-mapping.dmp
-
memory/3404-158-0x0000000000000000-mapping.dmp
-
memory/3572-147-0x0000000000810000-0x000000000081A000-memory.dmpFilesize
40KB
-
memory/3572-148-0x00007FFCFFE40000-0x00007FFD00901000-memory.dmpFilesize
10.8MB
-
memory/3572-149-0x00007FFCFFE40000-0x00007FFD00901000-memory.dmpFilesize
10.8MB
-
memory/3572-144-0x0000000000000000-mapping.dmp
-
memory/3736-159-0x0000000000000000-mapping.dmp
-
memory/3808-150-0x0000000000000000-mapping.dmp
-
memory/4180-143-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/4180-142-0x0000000000834000-0x0000000000854000-memory.dmpFilesize
128KB
-
memory/4180-141-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/4180-140-0x00000000005D0000-0x00000000005FD000-memory.dmpFilesize
180KB
-
memory/4180-138-0x0000000000834000-0x0000000000854000-memory.dmpFilesize
128KB
-
memory/4180-139-0x0000000004C60000-0x0000000005204000-memory.dmpFilesize
5.6MB
-
memory/4180-135-0x0000000000000000-mapping.dmp
-
memory/4260-132-0x0000000000000000-mapping.dmp
-
memory/4464-157-0x0000000000000000-mapping.dmp
-
memory/5056-156-0x0000000000000000-mapping.dmp