Analysis
-
max time kernel
123s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
04-11-2021 23:26
General
-
Target
49c3b146f9734caa1f3ffb3b273238f3.exe
-
Size
16KB
-
MD5
49c3b146f9734caa1f3ffb3b273238f3
-
SHA1
c2c3955cd049f3cfcaf1f926e660712850beccc3
-
SHA256
9fcd74ab400531e530fc20dd5cb71635dd8f8aac2deea7d749284d976ea0a629
-
SHA512
bf33e890ba8fe22aa9a1cfa8757867f0d4010522c82dccbb47e16d376ec66566093056757895edf15d98d9f4f9c2a0f1ffcae4eebd9b6bdb8ed5b43eb0ddd001
Malware Config
Extracted
raccoon
a8df9e1d3d24b04502963590a8ed392d88ab1b96
-
url4cnc
http://telegin.top/opticillusionlusy
http://ttmirror.top/opticillusionlusy
http://teletele.top/opticillusionlusy
http://telegalive.top/opticillusionlusy
http://toptelete.top/opticillusionlusy
http://telegraf.top/opticillusionlusy
https://t.me/opticillusionlusy
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
BitRAT Payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
-
C:\Users\Admin\AppData\Local\Temp\49c3b146f9734caa1f3ffb3b273238f3.exe"C:\Users\Admin\AppData\Local\Temp\49c3b146f9734caa1f3ffb3b273238f3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"4⤵
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller4⤵
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start lsass4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"4⤵
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller4⤵
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start lsass4⤵
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 10043⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\a4755c5f\plg\4XmySxXF.json"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
b751492c41c6f3173d3b6f31c1b9b4eb
SHA1abc53a2c939b1d774940deb0b888b7b1ba5a3c7b
SHA256ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457
SHA512afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b3e9950f0f5783ad49eced6c69f99d32
SHA1285f3b186567601a0346a080ffc89348654c541b
SHA256f331eb96ef9923a268cc55e0d8ae13dfd31d58bee3cf35858c82f712dfe4320f
SHA512fded6e57638f25fa6272d2539c70777024823fba1af5ec75ce8cb20f7ff4f8306de8fe945d01c39e1d42b5ccb8179980145a49b57bfd8430c205efca0cad5756
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
318fd23eec2d622bedd0a598b5d8235e
SHA17ac404bbf03e16be9ef3c4cf2cf9651fe966e344
SHA2560c0663717f80c435a68d2b2aa0b1a1a01221b70cd00490528bc1e843883d7bd8
SHA512584829c31a6a292c62e8a5814c2b109201c2cdd42ac933be9323e2b32b2e9fc6baa2819e1d3da2621e6897e114caac8a539a00df0df0bbdc2feb45fba2e45143
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
775078b1827648f250d4ccce115c7c89
SHA1315a054a86450f72c78e36248cd56489dcb39978
SHA256fb701a9c76e864745bd92abd194fdf3cb2077c0f18a6088dec6ae29f0faf3fdd
SHA5124a92fb30d3c4350b75616a2557c18ac1c758f8c15bd7e7e1b06d70e85e5ea3e927b76b59b085bf5171ba6ef86469e5a4c7c1336244cc44a17bc2a7d232d04feb
-
C:\Users\Admin\AppData\Local\Temp\unk.xmlMD5
77e6621fd939338d3f19f3dd948ecf43
SHA153df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA2569cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA5126e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f
-
C:\Users\Admin\AppData\Local\Win32\License.XenArmorMD5
4f3bde9212e17ef18226866d6ac739b6
SHA1732733bec8314beb81437e60876ffa75e72ae6cd
SHA256212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA51210b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744
-
C:\Users\Admin\AppData\Local\Win32\License.XenArmorMD5
bf5da170f7c9a8eae88d1cb1a191ff80
SHA1dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA5129e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e
-
C:\Users\Admin\AppData\Local\Win32\Unknown.dllMD5
86114faba7e1ec4a667d2bcb2e23f024
SHA1670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Local\a4755c5f\plg\4XmySxXF.jsonMD5
77e6621fd939338d3f19f3dd948ecf43
SHA153df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA2569cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA5126e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeMD5
4eb5d05f73f6edc4673409b03ee325cf
SHA1f210931bedf25533129b87eee16573e618887d80
SHA2564a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d
SHA512c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeMD5
4eb5d05f73f6edc4673409b03ee325cf
SHA1f210931bedf25533129b87eee16573e618887d80
SHA2564a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d
SHA512c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231
-
C:\Users\Admin\hosts.batMD5
633dd29d37554e063e8700af0a882724
SHA12994a70ff1769fdea7f06bbfe58d8d665caca6b8
SHA256dfe6d785e2c1082e1249b081a172c31904d83ea125929e2dca0c41312e9bf2a8
SHA512b25684dab562afd12015058cafc5549b265a7ad38be8d44f3659690b21f723240a1732895dbcf77856973e6e2153a7c0841693a7991b7938a498c602537aa334
-
\Users\Admin\AppData\Local\Win32\Unknown.dllMD5
86114faba7e1ec4a667d2bcb2e23f024
SHA1670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f
-
memory/368-162-0x000000000068A488-mapping.dmp
-
memory/368-161-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/368-166-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/488-261-0x0000000000000000-mapping.dmp
-
memory/632-396-0x0000000000000000-mapping.dmp
-
memory/804-156-0x00000000004A0000-0x00000000004EE000-memory.dmpFilesize
312KB
-
memory/804-158-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/804-157-0x0000000000760000-0x00000000007EE000-memory.dmpFilesize
568KB
-
memory/804-138-0x0000000000000000-mapping.dmp
-
memory/1264-482-0x0000000000000000-mapping.dmp
-
memory/1692-136-0x0000000006642000-0x0000000006643000-memory.dmpFilesize
4KB
-
memory/1692-128-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1692-199-0x0000000009C70000-0x0000000009C71000-memory.dmpFilesize
4KB
-
memory/1692-123-0x0000000000000000-mapping.dmp
-
memory/1692-197-0x0000000008930000-0x0000000008931000-memory.dmpFilesize
4KB
-
memory/1692-126-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1692-194-0x00000000089A0000-0x00000000089A1000-memory.dmpFilesize
4KB
-
memory/1692-133-0x0000000006640000-0x0000000006641000-memory.dmpFilesize
4KB
-
memory/1692-177-0x0000000008890000-0x0000000008891000-memory.dmpFilesize
4KB
-
memory/1692-129-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1692-131-0x0000000006C80000-0x0000000006C81000-memory.dmpFilesize
4KB
-
memory/1692-246-0x0000000006643000-0x0000000006644000-memory.dmpFilesize
4KB
-
memory/1692-169-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1692-175-0x00000000090F0000-0x00000000090F1000-memory.dmpFilesize
4KB
-
memory/1724-121-0x0000000000000000-mapping.dmp
-
memory/1764-426-0x0000000000000000-mapping.dmp
-
memory/1780-427-0x0000000000000000-mapping.dmp
-
memory/2208-275-0x0000000000000000-mapping.dmp
-
memory/2232-425-0x0000000001013000-0x0000000001014000-memory.dmpFilesize
4KB
-
memory/2232-357-0x0000000001012000-0x0000000001013000-memory.dmpFilesize
4KB
-
memory/2232-356-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/2232-291-0x0000000000000000-mapping.dmp
-
memory/2588-558-0x0000000000400000-0x00000000008DC000-memory.dmpFilesize
4.9MB
-
memory/2588-552-0x00000000008D9FE0-mapping.dmp
-
memory/2848-253-0x0000000000000000-mapping.dmp
-
memory/3420-227-0x0000000000000000-mapping.dmp
-
memory/3432-205-0x0000000000000000-mapping.dmp
-
memory/3716-118-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/3716-135-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/4012-402-0x0000000000000000-mapping.dmp
-
memory/4024-397-0x0000000000000000-mapping.dmp
-
memory/4072-120-0x0000000000000000-mapping.dmp
-
memory/4256-247-0x0000000000000000-mapping.dmp
-
memory/4360-134-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/4360-167-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/4360-144-0x0000000007260000-0x0000000007261000-memory.dmpFilesize
4KB
-
memory/4360-146-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/4360-245-0x0000000004E33000-0x0000000004E34000-memory.dmpFilesize
4KB
-
memory/4360-125-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/4360-148-0x0000000007D50000-0x0000000007D51000-memory.dmpFilesize
4KB
-
memory/4360-127-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/4360-150-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/4360-159-0x0000000008650000-0x0000000008651000-memory.dmpFilesize
4KB
-
memory/4360-124-0x0000000000000000-mapping.dmp
-
memory/4360-137-0x0000000004E32000-0x0000000004E33000-memory.dmpFilesize
4KB
-
memory/4360-152-0x0000000007C20000-0x0000000007C21000-memory.dmpFilesize
4KB
-
memory/4360-154-0x0000000008580000-0x0000000008581000-memory.dmpFilesize
4KB
-
memory/4372-141-0x0000000000000000-mapping.dmp
-
memory/4372-165-0x00000000010E0000-0x00000000014A5000-memory.dmpFilesize
3.8MB
-
memory/4372-164-0x0000000000EF0000-0x00000000010D4000-memory.dmpFilesize
1.9MB
-
memory/4512-412-0x0000000000000000-mapping.dmp
-
memory/4772-311-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/4772-265-0x0000000000000000-mapping.dmp
-
memory/4772-315-0x0000000004CF2000-0x0000000004CF3000-memory.dmpFilesize
4KB
-
memory/4772-424-0x0000000004CF3000-0x0000000004CF4000-memory.dmpFilesize
4KB
-
memory/4804-480-0x0000000000000000-mapping.dmp
-
memory/4812-207-0x0000000000000000-mapping.dmp
-
memory/4844-481-0x0000000000000000-mapping.dmp
-
memory/4884-483-0x0000000000000000-mapping.dmp
-
memory/4888-236-0x0000000000000000-mapping.dmp
-
memory/4928-252-0x0000000000000000-mapping.dmp
-
memory/4984-263-0x0000000000000000-mapping.dmp
-
memory/5020-556-0x00000000006FC1D0-mapping.dmp
-
memory/5020-563-0x0000000000400000-0x00000000006FE000-memory.dmpFilesize
3.0MB