Analysis
-
max time kernel
22s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 15:04
General
-
Target
fd3dc8b684724e1497fd39c04c3220f2.exe
-
Size
1.3MB
-
MD5
fd3dc8b684724e1497fd39c04c3220f2
-
SHA1
147d0f3b6ec38cb14c4d97ba71f28715db2433b4
-
SHA256
c9c5b4b76ac69632d5f5931198adb5d21d214c72d8524ffc60d7d6bbcd44cf03
-
SHA512
c05a1d522db7d0a63c9f917a57ef61815cccd4e5ac3532812d90936dc11ee71713ea17f500189a1d2291f39e1d5fc43d911dce1d3274161e9a1818dd75243849
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Async RAT payload 3 IoCs
-
ModiLoader First Stage 5 IoCs
-
ModiLoader Second Stage 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 17 IoCs
-
Loads dropped DLL 13 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd3dc8b684724e1497fd39c04c3220f2.exe"C:\Users\Admin\AppData\Local\Temp\fd3dc8b684724e1497fd39c04c3220f2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GhdfyrtFD.exe"C:\Users\Admin\AppData\Local\Temp\GhdfyrtFD.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GhdfyrtFD.exe"C:\Users\Admin\AppData\Local\Temp\GhdfyrtFD.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe"C:\Users\Admin\AppData\Local\Temp\ds2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe"C:\Users\Admin\AppData\Local\Temp\ds2.exe"5⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe"C:\Users\Admin\AppData\Local\Temp\ds1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe"C:\Users\Admin\AppData\Local\Temp\ds1.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe"C:\Users\Admin\AppData\Local\Temp\ds1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\nr2q12do.inf6⤵
-
C:\Users\Admin\AppData\Local\Temp\rc.exe"C:\Users\Admin\AppData\Local\Temp\rc.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ac.exe"C:\Users\Admin\AppData\Local\Temp\ac.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ac.exe"C:\Users\Admin\AppData\Local\Temp\ac.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ac.exe"C:\Users\Admin\AppData\Local\Temp\ac.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "GhdfyrtFD.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\GFdfgetrqw.exe"C:\Users\Admin\AppData\Local\Temp\GFdfgetrqw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GFdfgetrqw.exe"C:\Users\Admin\AppData\Local\Temp\GFdfgetrqw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3012 & erase C:\Users\Admin\AppData\Local\Temp\GFdfgetrqw.exe & RD /S /Q C:\\ProgramData\\469297335128017\\* & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 30125⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\fd3dc8b684724e1497fd39c04c3220f2.exe"C:\Users\Admin\AppData\Local\Temp\fd3dc8b684724e1497fd39c04c3220f2.exe"2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kZ16PsBxJz.exe"C:\Users\Admin\AppData\Local\Temp\kZ16PsBxJz.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6MAhfAQy5d.exe"C:\Users\Admin\AppData\Local\Temp\6MAhfAQy5d.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\uEUYGsySza.exe"C:\Users\Admin\AppData\Local\Temp\uEUYGsySza.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\brs9OEVUEP.exe"C:\Users\Admin\AppData\Local\Temp\brs9OEVUEP.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\fd3dc8b684724e1497fd39c04c3220f2.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ac.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\brs9OEVUEP.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ds1.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kZ16PsBxJz.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uEUYGsySza.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\V2UOWG6R.cookie
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\6MAhfAQy5d.exe
-
C:\Users\Admin\AppData\Local\Temp\6MAhfAQy5d.exe
-
C:\Users\Admin\AppData\Local\Temp\GFdfgetrqw.exe
-
C:\Users\Admin\AppData\Local\Temp\GFdfgetrqw.exe
-
C:\Users\Admin\AppData\Local\Temp\GFdfgetrqw.exe
-
C:\Users\Admin\AppData\Local\Temp\GhdfyrtFD.exe
-
C:\Users\Admin\AppData\Local\Temp\GhdfyrtFD.exe
-
C:\Users\Admin\AppData\Local\Temp\GhdfyrtFD.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\brs9OEVUEP.exe
-
C:\Users\Admin\AppData\Local\Temp\brs9OEVUEP.exe
-
C:\Users\Admin\AppData\Local\Temp\brs9OEVUEP.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\kZ16PsBxJz.exe
-
C:\Users\Admin\AppData\Local\Temp\kZ16PsBxJz.exe
-
C:\Users\Admin\AppData\Local\Temp\kZ16PsBxJz.exe
-
C:\Users\Admin\AppData\Local\Temp\rc.exe
-
C:\Users\Admin\AppData\Local\Temp\rc.exe
-
C:\Users\Admin\AppData\Local\Temp\uEUYGsySza.exe
-
C:\Users\Admin\AppData\Local\Temp\uEUYGsySza.exe
-
C:\Users\Admin\AppData\Local\Temp\uEUYGsySza.exe
-
C:\Windows\Temp\5irtjhcp.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\Temp\b42bt3sw.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\5irtjhcp.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\b42bt3sw.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\bgmdmcoe.inf
-
C:\Windows\temp\nr2q12do.inf
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\9159DD76\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\9159DD76\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\9159DD76\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\9159DD76\vcruntime140.dll
-
memory/504-67-0x0000000000000000-mapping.dmp
-
memory/504-70-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/868-151-0x0000000000000000-mapping.dmp
-
memory/908-61-0x0000000000000000-mapping.dmp
-
memory/1248-85-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/1248-80-0x0000000000000000-mapping.dmp
-
memory/1276-334-0x0000000004A30000-0x0000000004A6A000-memory.dmpFilesize
232KB
-
memory/1276-300-0x0000000004B70000-0x0000000004BBD000-memory.dmpFilesize
308KB
-
memory/1276-157-0x0000000003E70000-0x0000000003EAA000-memory.dmpFilesize
232KB
-
memory/1276-304-0x0000000004890000-0x00000000048CA000-memory.dmpFilesize
232KB
-
memory/1276-47-0x0000000000000000-mapping.dmp
-
memory/1284-109-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/1284-103-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1284-106-0x0000000000403BEE-mapping.dmp
-
memory/1460-72-0x0000000000000000-mapping.dmp
-
memory/1460-237-0x0000000002970000-0x00000000029AA000-memory.dmpFilesize
232KB
-
memory/1460-333-0x0000000004C10000-0x0000000004C4A000-memory.dmpFilesize
232KB
-
memory/1460-332-0x00000000049C0000-0x0000000004A0D000-memory.dmpFilesize
308KB
-
memory/1648-91-0x00000000051B0000-0x00000000051BC000-memory.dmpFilesize
48KB
-
memory/1648-90-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/1648-51-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/1648-46-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/1648-92-0x00000000051C0000-0x00000000051CD000-memory.dmpFilesize
52KB
-
memory/1648-42-0x0000000000000000-mapping.dmp
-
memory/1664-2-0x0000000000000000-mapping.dmp
-
memory/1780-140-0x0000000000000000-mapping.dmp
-
memory/1784-5-0x0000000000000000-mapping.dmp
-
memory/1816-119-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/1816-104-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/1816-98-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1816-101-0x000000000040616E-mapping.dmp
-
memory/1816-138-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/2152-60-0x0000000000000000-mapping.dmp
-
memory/2232-154-0x000002BFFEA50000-0x000002BFFEA51000-memory.dmpFilesize
4KB
-
memory/2232-150-0x0000000000000000-mapping.dmp
-
memory/2232-153-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/2232-155-0x000002BFFEC00000-0x000002BFFEC01000-memory.dmpFilesize
4KB
-
memory/2324-39-0x0000000000000000-mapping.dmp
-
memory/2324-45-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/2324-96-0x00000000025B0000-0x00000000025BC000-memory.dmpFilesize
48KB
-
memory/2324-50-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/2368-115-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/2368-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2368-111-0x000000000040C76E-mapping.dmp
-
memory/2668-15-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2668-16-0x000000000041A684-mapping.dmp
-
memory/2668-18-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2704-89-0x0000000000000000-mapping.dmp
-
memory/2736-13-0x000000000043F953-mapping.dmp
-
memory/2736-12-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2736-14-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2860-54-0x0000000000000000-mapping.dmp
-
memory/2860-58-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/2860-95-0x0000000002310000-0x0000000002320000-memory.dmpFilesize
64KB
-
memory/2860-57-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/2980-136-0x0000000007980000-0x0000000007981000-memory.dmpFilesize
4KB
-
memory/2980-230-0x0000000009240000-0x0000000009241000-memory.dmpFilesize
4KB
-
memory/2980-169-0x0000000008DF0000-0x0000000008DF1000-memory.dmpFilesize
4KB
-
memory/2980-158-0x0000000009030000-0x0000000009063000-memory.dmpFilesize
204KB
-
memory/2980-171-0x0000000009160000-0x0000000009161000-memory.dmpFilesize
4KB
-
memory/2980-152-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/2980-137-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/2980-228-0x0000000009250000-0x0000000009251000-memory.dmpFilesize
4KB
-
memory/2980-141-0x0000000007950000-0x0000000007951000-memory.dmpFilesize
4KB
-
memory/2980-142-0x00000000081B0000-0x00000000081B1000-memory.dmpFilesize
4KB
-
memory/2980-135-0x0000000007060000-0x0000000007061000-memory.dmpFilesize
4KB
-
memory/2980-191-0x0000000009390000-0x0000000009391000-memory.dmpFilesize
4KB
-
memory/2980-121-0x0000000000000000-mapping.dmp
-
memory/2980-130-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/2980-132-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/2980-133-0x00000000071E0000-0x00000000071E1000-memory.dmpFilesize
4KB
-
memory/2980-134-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/3012-20-0x0000000000417A8B-mapping.dmp
-
memory/3012-22-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3012-19-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3172-79-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/3172-76-0x0000000000000000-mapping.dmp
-
memory/3220-271-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/3220-265-0x0000000000000000-mapping.dmp
-
memory/3508-259-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/3508-254-0x0000000000000000-mapping.dmp
-
memory/3552-246-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/3552-239-0x0000000000000000-mapping.dmp
-
memory/3592-81-0x0000000000000000-mapping.dmp
-
memory/3796-38-0x0000000000000000-mapping.dmp
-
memory/3896-37-0x0000000000000000-mapping.dmp
-
memory/3968-122-0x0000000000000000-mapping.dmp
-
memory/3968-125-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/4056-148-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/4056-147-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/4056-143-0x0000000000000000-mapping.dmp
-
memory/4056-144-0x0000000000000000-mapping.dmp
-
memory/4132-174-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/4132-170-0x000000000040C76E-mapping.dmp
-
memory/4276-188-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/4276-184-0x000000000040616E-mapping.dmp
-
memory/4300-189-0x0000000000403BEE-mapping.dmp
-
memory/4300-194-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/4408-203-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/4408-200-0x0000000000000000-mapping.dmp
-
memory/4420-201-0x0000000000000000-mapping.dmp
-
memory/4420-205-0x00000000711E0000-0x00000000718CE000-memory.dmpFilesize
6.9MB
-
memory/4532-324-0x0000000000000000-mapping.dmp
-
memory/4540-209-0x0000000000000000-mapping.dmp
-
memory/4596-297-0x00000260CCCF0000-0x00000260CCCF1000-memory.dmpFilesize
4KB
-
memory/4596-267-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/4596-328-0x00000260B25D0000-0x00000260B25D1000-memory.dmpFilesize
4KB
-
memory/4596-260-0x0000000000000000-mapping.dmp
-
memory/4596-296-0x00000260B2590000-0x00000260B2591000-memory.dmpFilesize
4KB
-
memory/4624-218-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/4624-215-0x0000000000000000-mapping.dmp
-
memory/4624-214-0x0000000000000000-mapping.dmp
-
memory/4688-225-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/4688-223-0x0000000000000000-mapping.dmp
-
memory/4700-263-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/4700-258-0x0000000000000000-mapping.dmp
-
memory/4716-224-0x0000000000000000-mapping.dmp
-
memory/4860-262-0x0000000000000000-mapping.dmp
-
memory/4860-268-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/4928-235-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/4928-232-0x0000000000000000-mapping.dmp
-
memory/4968-233-0x0000000000000000-mapping.dmp
-
memory/4968-236-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/5096-241-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/5096-238-0x0000000000000000-mapping.dmp
-
memory/5168-329-0x0000000000000000-mapping.dmp
-
memory/5396-277-0x0000000000000000-mapping.dmp
-
memory/5396-279-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/5448-282-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/5448-278-0x0000000000000000-mapping.dmp
-
memory/5624-286-0x0000000000000000-mapping.dmp
-
memory/5624-290-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/5800-336-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/5908-301-0x0000000000000000-mapping.dmp
-
memory/5908-320-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/5932-331-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/5932-335-0x0000000000000000-mapping.dmp
-
memory/5988-321-0x00007FFEB8DA0000-0x00007FFEB978C000-memory.dmpFilesize
9.9MB
-
memory/5988-306-0x0000000000000000-mapping.dmp