Analysis
-
max time kernel
33s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-10-2020 15:35
General
-
Target
529bdde5933be5d292cc8d45e23220bc.exe
-
Size
1.6MB
-
MD5
529bdde5933be5d292cc8d45e23220bc
-
SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50
-
SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb
-
SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 8 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Async RAT payload 3 IoCs
-
ModiLoader First Stage 2 IoCs
-
ModiLoader Second Stage 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
-
Loads dropped DLL 13 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\529bdde5933be5d292cc8d45e23220bc.exe"C:\Users\Admin\AppData\Local\Temp\529bdde5933be5d292cc8d45e23220bc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe"C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe"C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe"C:\Users\Admin\AppData\Local\Temp\ds2.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe"C:\Users\Admin\AppData\Local\Temp\ds1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rc.exe"C:\Users\Admin\AppData\Local\Temp\rc.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ac.exe"C:\Users\Admin\AppData\Local\Temp\ac.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "GBFtrybcvuyt.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe"C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe"C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3820 & erase C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe & RD /S /Q C:\\ProgramData\\608079178003049\\* & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 38205⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\529bdde5933be5d292cc8d45e23220bc.exe"C:\Users\Admin\AppData\Local\Temp\529bdde5933be5d292cc8d45e23220bc.exe"2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kYwomE9NNn.exe"C:\Users\Admin\AppData\Local\Temp\kYwomE9NNn.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kYwomE9NNn.exe"C:\Users\Admin\AppData\Local\Temp\kYwomE9NNn.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\hoM2DXD34n.exe"C:\Users\Admin\AppData\Local\Temp\hoM2DXD34n.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\deLazbVvpZ.exe"C:\Users\Admin\AppData\Local\Temp\deLazbVvpZ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\deLazbVvpZ.exe"C:\Users\Admin\AppData\Local\Temp\deLazbVvpZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\de45yeyw.inf5⤵
-
C:\Users\Admin\AppData\Local\Temp\pxMkoY5E1M.exe"C:\Users\Admin\AppData\Local\Temp\pxMkoY5E1M.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pxMkoY5E1M.exe"C:\Users\Admin\AppData\Local\Temp\pxMkoY5E1M.exe"4⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\529bdde5933be5d292cc8d45e23220bc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ac.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\deLazbVvpZ.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ds1.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ds2.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pxMkoY5E1M.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0RF24MYA.cookie
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe
-
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe
-
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe
-
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe
-
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe
-
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\deLazbVvpZ.exe
-
C:\Users\Admin\AppData\Local\Temp\deLazbVvpZ.exe
-
C:\Users\Admin\AppData\Local\Temp\deLazbVvpZ.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\hoM2DXD34n.exe
-
C:\Users\Admin\AppData\Local\Temp\hoM2DXD34n.exe
-
C:\Users\Admin\AppData\Local\Temp\kYwomE9NNn.exe
-
C:\Users\Admin\AppData\Local\Temp\kYwomE9NNn.exe
-
C:\Users\Admin\AppData\Local\Temp\kYwomE9NNn.exe
-
C:\Users\Admin\AppData\Local\Temp\pxMkoY5E1M.exe
-
C:\Users\Admin\AppData\Local\Temp\pxMkoY5E1M.exe
-
C:\Users\Admin\AppData\Local\Temp\pxMkoY5E1M.exe
-
C:\Users\Admin\AppData\Local\Temp\rc.exe
-
C:\Users\Admin\AppData\Local\Temp\rc.exe
-
C:\Windows\Temp\x4i4dtut.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\de45yeyw.inf
-
C:\Windows\temp\x4i4dtut.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\xg45nkgn.inf
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll
-
memory/212-230-0x0000000000000000-mapping.dmp
-
memory/216-84-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/216-81-0x0000000000000000-mapping.dmp
-
memory/440-221-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/440-217-0x0000000000403BEE-mapping.dmp
-
memory/532-193-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/532-182-0x0000000000000000-mapping.dmp
-
memory/756-132-0x00000000071D0000-0x00000000071D1000-memory.dmpFilesize
4KB
-
memory/756-138-0x0000000007CB0000-0x0000000007CB1000-memory.dmpFilesize
4KB
-
memory/756-253-0x0000000006730000-0x0000000006731000-memory.dmpFilesize
4KB
-
memory/756-248-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/756-131-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/756-123-0x0000000006480000-0x0000000006481000-memory.dmpFilesize
4KB
-
memory/756-165-0x0000000008E30000-0x0000000008E31000-memory.dmpFilesize
4KB
-
memory/756-164-0x0000000008A70000-0x0000000008A71000-memory.dmpFilesize
4KB
-
memory/756-163-0x0000000008900000-0x0000000008901000-memory.dmpFilesize
4KB
-
memory/756-156-0x0000000008930000-0x0000000008963000-memory.dmpFilesize
204KB
-
memory/756-119-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/756-133-0x0000000007240000-0x0000000007241000-memory.dmpFilesize
4KB
-
memory/756-134-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/756-116-0x0000000000000000-mapping.dmp
-
memory/756-141-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/756-136-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB
-
memory/756-124-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/820-194-0x0000000000000000-mapping.dmp
-
memory/820-223-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/932-140-0x0000000000000000-mapping.dmp
-
memory/1028-142-0x0000000000000000-mapping.dmp
-
memory/1028-143-0x0000000000000000-mapping.dmp
-
memory/1028-146-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/1028-147-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/1184-42-0x0000000000000000-mapping.dmp
-
memory/1184-45-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/1184-46-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1184-90-0x0000000000B50000-0x0000000000B84000-memory.dmpFilesize
208KB
-
memory/1184-92-0x00000000049E0000-0x00000000049F6000-memory.dmpFilesize
88KB
-
memory/1184-91-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/1268-204-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/1268-185-0x0000000000000000-mapping.dmp
-
memory/1280-175-0x0000000000000000-mapping.dmp
-
memory/1280-181-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/1404-271-0x0000000004AE0000-0x0000000004B2D000-memory.dmpFilesize
308KB
-
memory/1404-47-0x0000000000000000-mapping.dmp
-
memory/1404-154-0x0000000002A50000-0x0000000002A6A000-memory.dmpFilesize
104KB
-
memory/1408-149-0x0000000000000000-mapping.dmp
-
memory/1448-151-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/1448-152-0x0000025855340000-0x0000025855341000-memory.dmpFilesize
4KB
-
memory/1448-150-0x0000000000000000-mapping.dmp
-
memory/1448-153-0x00000258554F0000-0x00000258554F1000-memory.dmpFilesize
4KB
-
memory/1668-59-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/1668-55-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/1668-100-0x0000000003300000-0x000000000333E000-memory.dmpFilesize
248KB
-
memory/1668-51-0x0000000000000000-mapping.dmp
-
memory/1780-54-0x0000000000000000-mapping.dmp
-
memory/1780-99-0x0000000005640000-0x000000000567D000-memory.dmpFilesize
244KB
-
memory/1780-60-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/1780-62-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/1784-208-0x000000000040616E-mapping.dmp
-
memory/1784-215-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/1876-56-0x0000000000000000-mapping.dmp
-
memory/2124-177-0x0000000000000000-mapping.dmp
-
memory/2124-184-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/2140-178-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/2140-172-0x0000000000000000-mapping.dmp
-
memory/2212-96-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/2212-94-0x000000000040C76E-mapping.dmp
-
memory/2212-93-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2364-126-0x0000000004540000-0x0000000004541000-memory.dmpFilesize
4KB
-
memory/2364-118-0x0000000000000000-mapping.dmp
-
memory/2364-129-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/2368-317-0x0000000003090000-0x0000000003091000-memory.dmpFilesize
4KB
-
memory/2368-319-0x0000000000000000-mapping.dmp
-
memory/2380-199-0x000000000040C76E-mapping.dmp
-
memory/2380-203-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/2548-64-0x0000000000000000-mapping.dmp
-
memory/2588-65-0x0000000000000000-mapping.dmp
-
memory/2588-68-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/2644-13-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2644-9-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2644-12-0x000000000043FA56-mapping.dmp
-
memory/2680-262-0x0000000002560000-0x000000000257A000-memory.dmpFilesize
104KB
-
memory/2680-75-0x0000000000000000-mapping.dmp
-
memory/2680-311-0x0000000004840000-0x000000000488D000-memory.dmpFilesize
308KB
-
memory/3084-174-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/3084-168-0x0000000000000000-mapping.dmp
-
memory/3384-170-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/3384-166-0x0000000000000000-mapping.dmp
-
memory/3660-86-0x0000000000000000-mapping.dmp
-
memory/3820-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3820-22-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3820-20-0x0000000000417A8B-mapping.dmp
-
memory/3824-117-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/3824-103-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3824-137-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/3824-108-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/3824-104-0x000000000040616E-mapping.dmp
-
memory/4044-167-0x0000000000000000-mapping.dmp
-
memory/4044-173-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/4160-18-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4160-16-0x000000000041A684-mapping.dmp
-
memory/4160-15-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4168-210-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/4168-190-0x0000000000000000-mapping.dmp
-
memory/4236-179-0x0000000000000000-mapping.dmp
-
memory/4236-188-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/4244-2-0x0000000000000000-mapping.dmp
-
memory/4248-110-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/4248-105-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4248-106-0x0000000000403BEE-mapping.dmp
-
memory/4272-5-0x0000000000000000-mapping.dmp
-
memory/4628-88-0x0000000000000000-mapping.dmp
-
memory/4656-176-0x00007FFBE30A0000-0x00007FFBE3A8C000-memory.dmpFilesize
9.9MB
-
memory/4656-171-0x0000000000000000-mapping.dmp
-
memory/4696-89-0x0000000000000000-mapping.dmp
-
memory/4728-74-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/4728-71-0x0000000000000000-mapping.dmp
-
memory/4744-77-0x0000000000000000-mapping.dmp
-
memory/4980-231-0x0000000000000000-mapping.dmp
-
memory/4980-240-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/5812-284-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/5812-302-0x0000000000000000-mapping.dmp
-
memory/5812-300-0x0000000000000000-mapping.dmp
-
memory/5812-298-0x0000000000000000-mapping.dmp
-
memory/5812-296-0x0000000000000000-mapping.dmp
-
memory/5812-294-0x0000000000000000-mapping.dmp
-
memory/5812-292-0x0000000000000000-mapping.dmp
-
memory/5812-290-0x0000000000000000-mapping.dmp
-
memory/5812-287-0x0000000000000000-mapping.dmp
-
memory/5812-312-0x0000000000000000-mapping.dmp
-
memory/5812-314-0x0000000000000000-mapping.dmp
-
memory/5812-285-0x0000000000000000-mapping.dmp
-
memory/5812-316-0x0000000000000000-mapping.dmp
-
memory/5812-283-0x0000000000000000-mapping.dmp
-
memory/5812-282-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB