Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-12-2021 18:01
General
-
Target
88019B018015F33C8CA9290A531027E90EAE517F6B590.exe
-
Size
13.6MB
-
MD5
2821b719af8d6e8a54926a0536c52feb
-
SHA1
ec3013696893908ec7a726325da37bbf22c04eee
-
SHA256
88019b018015f33c8ca9290a531027e90eae517f6b590fb1711de81ff222ed98
-
SHA512
ffb33b3a9118daac53b7ccebb3424affa694123d7b4e8ba5281a387b1d669dfb0cb9e5e321d1d970e0693072d42944861570f3b31cde20b0e542a5ae96b648a6
Malware Config
Signatures
-
UAC bypass 3 TTPs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 5 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
autoit_exe 8 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 39 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88019B018015F33C8CA9290A531027E90EAE517F6B590.exe"C:\Users\Admin\AppData\Local\Temp\88019B018015F33C8CA9290A531027E90EAE517F6B590.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exe"C:\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Controlled.exe"C:\Users\Admin\AppData\Local\Temp\Controlled.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "%appdata%"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Lost.exe"C:\Users\Admin\AppData\Local\Temp\Lost.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe" "Microsoft OneDrive.exe" ENABLE5⤵
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6d278a4e0057ca28d35ffafe8e291bee
SHA1067eb06ac4486ac72bf39d87903512df58b93db6
SHA25695f5976cbed9e4554e43750001ae7dde83802180aa2a440eacaf0be904e0f6f6
SHA512224f0889d59fb8c9aa2be5c8bb9f35c86dad1b35c228aa877a2dc198b8aa197aadb8f876fd358e24190778e873656fa1a9842e8956bfc7206fc5584c6d9de1a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6d278a4e0057ca28d35ffafe8e291bee
SHA1067eb06ac4486ac72bf39d87903512df58b93db6
SHA25695f5976cbed9e4554e43750001ae7dde83802180aa2a440eacaf0be904e0f6f6
SHA512224f0889d59fb8c9aa2be5c8bb9f35c86dad1b35c228aa877a2dc198b8aa197aadb8f876fd358e24190778e873656fa1a9842e8956bfc7206fc5584c6d9de1a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e9870e37047330139c75aa76aacf0532
SHA133a1617ee822b7cd17604929d5af7e4487216e1b
SHA256898b8b8ba8a997c79aa401a6c8304effee9d5e02c2fb570fa014378a16334094
SHA51231c57f966a8cfee5739c5e1399f8277e1119a943a7931f6bd349782fc6a8a0f8b48611a2775ca37edc9ac4ea16abceb9ac0c92351228882a6944fd00cd55725b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
209c93d2a66f32d68ca124f75a9c8281
SHA1be345f19491c0def2007b7c9574985c617d71c44
SHA25682b202bd637d98b2221b34c4bb7b0d988337d60d9d24ff41cbd9a39bafa177cd
SHA51226dca6412d17d0bc5ce0439e110308318226518bdac2cd9e3006e5128edd787254860f6df9ff42455a9783218f3a9cbf9fffb287d6c2afccf9e52afe3eaff442
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
89bea8c9858aaf222eed3e56c34cf48b
SHA124b6a57e2cc1994587ce41ad5445f5139ffb987e
SHA256afc9a1747bac48bfa8f989793a8671570c3d4a407e089b1142b28fda00f43bfd
SHA5126c5465cae0ca10a59896a735a013159fb326e7602c41b8bcba42de3dc9bb81f8674cecccf63f9d93d26052931312d451a00656c1bcf874d3addf921f758b4f72
-
C:\Users\Admin\AppData\Local\Temp\Controlled.exeMD5
bac34ccafe73bb8ac9fc2d603e8fa7f5
SHA18a5c1dfca71d0427c05aecd1cc51bfea4d115380
SHA2563f2cc117aaca845072bf07291d7de05f2c3f1d6d35acefde2db8de1bcff1b5b9
SHA51216d5e260a13841731d57938cc89301ec17ad4c15fa461861888a9bdc895b599860b53e97c440ecea2519653cd398ca3b7c499b90014f96059762357c0d8b102f
-
C:\Users\Admin\AppData\Local\Temp\Controlled.exeMD5
bac34ccafe73bb8ac9fc2d603e8fa7f5
SHA18a5c1dfca71d0427c05aecd1cc51bfea4d115380
SHA2563f2cc117aaca845072bf07291d7de05f2c3f1d6d35acefde2db8de1bcff1b5b9
SHA51216d5e260a13841731d57938cc89301ec17ad4c15fa461861888a9bdc895b599860b53e97c440ecea2519653cd398ca3b7c499b90014f96059762357c0d8b102f
-
C:\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exeMD5
7c201b8ea0371c471d14bc58a1a49250
SHA10bdeffc5d2f65177d13a75f577ca7280a6adbb45
SHA25654005254ae6e1a05f068974760305ce6df3775fa00e64273849c02c4488a6e81
SHA512d0fff986dc5fbb1be8dd419a39279a7ad6c3e0b21a4a91b52db4198e66bfce4f3e4eb7185c3cf16027fced90a3084d9d37baa10515186218acc29a6cd624d724
-
C:\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exeMD5
7c201b8ea0371c471d14bc58a1a49250
SHA10bdeffc5d2f65177d13a75f577ca7280a6adbb45
SHA25654005254ae6e1a05f068974760305ce6df3775fa00e64273849c02c4488a6e81
SHA512d0fff986dc5fbb1be8dd419a39279a7ad6c3e0b21a4a91b52db4198e66bfce4f3e4eb7185c3cf16027fced90a3084d9d37baa10515186218acc29a6cd624d724
-
C:\Users\Admin\AppData\Local\Temp\Lost.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
C:\Users\Admin\AppData\Local\Temp\Lost.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exeMD5
f2b6ef2a2ee8fe7819029dc06a69e7ba
SHA148a2429e9b17d91ff158dfdf896e62874c66bec7
SHA2560774dc41d6a7956a9e551e52db40944eed0362f60067faf7f08920e062df7108
SHA512cd6b22d2b82555a5db0bc00aa18f7195cd796e6f93036a13fcbd1b2eba981a83ef4247fd1836f703b4a900f375f93ecdac9c31a91ec6acfbf89f66653adb5ed9
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exeMD5
f2b6ef2a2ee8fe7819029dc06a69e7ba
SHA148a2429e9b17d91ff158dfdf896e62874c66bec7
SHA2560774dc41d6a7956a9e551e52db40944eed0362f60067faf7f08920e062df7108
SHA512cd6b22d2b82555a5db0bc00aa18f7195cd796e6f93036a13fcbd1b2eba981a83ef4247fd1836f703b4a900f375f93ecdac9c31a91ec6acfbf89f66653adb5ed9
-
memory/668-194-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/668-166-0x0000000000000000-mapping.dmp
-
memory/668-169-0x0000000004900000-0x0000000004936000-memory.dmpFilesize
216KB
-
memory/668-176-0x0000000008650000-0x000000000869B000-memory.dmpFilesize
300KB
-
memory/668-177-0x00000000083F0000-0x0000000008466000-memory.dmpFilesize
472KB
-
memory/668-167-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/668-168-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/668-180-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/668-179-0x0000000004992000-0x0000000004993000-memory.dmpFilesize
4KB
-
memory/668-178-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/668-191-0x0000000009260000-0x0000000009282000-memory.dmpFilesize
136KB
-
memory/668-190-0x0000000009210000-0x000000000922A000-memory.dmpFilesize
104KB
-
memory/668-192-0x0000000009A90000-0x0000000009F8E000-memory.dmpFilesize
5.0MB
-
memory/668-175-0x0000000007C30000-0x0000000007C4C000-memory.dmpFilesize
112KB
-
memory/668-174-0x0000000007D60000-0x00000000080B0000-memory.dmpFilesize
3.3MB
-
memory/668-173-0x0000000007B80000-0x0000000007BE6000-memory.dmpFilesize
408KB
-
memory/668-172-0x0000000007B10000-0x0000000007B76000-memory.dmpFilesize
408KB
-
memory/668-198-0x0000000004993000-0x0000000004994000-memory.dmpFilesize
4KB
-
memory/668-189-0x00000000094F0000-0x0000000009584000-memory.dmpFilesize
592KB
-
memory/668-171-0x0000000007A00000-0x0000000007A22000-memory.dmpFilesize
136KB
-
memory/668-170-0x0000000007380000-0x00000000079A8000-memory.dmpFilesize
6.2MB
-
memory/1200-494-0x0000000000000000-mapping.dmp
-
memory/1624-193-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/1624-184-0x0000000000000000-mapping.dmp
-
memory/1780-142-0x0000000000000000-mapping.dmp
-
memory/2096-139-0x0000000004E90000-0x000000000538E000-memory.dmpFilesize
5.0MB
-
memory/2096-126-0x0000000000460000-0x0000000000566000-memory.dmpFilesize
1.0MB
-
memory/2096-127-0x0000000000460000-0x0000000000566000-memory.dmpFilesize
1.0MB
-
memory/2096-128-0x0000000004D70000-0x0000000004E0C000-memory.dmpFilesize
624KB
-
memory/2096-129-0x0000000005390000-0x000000000588E000-memory.dmpFilesize
5.0MB
-
memory/2096-130-0x0000000004F30000-0x0000000004FC2000-memory.dmpFilesize
584KB
-
memory/2096-131-0x0000000004E10000-0x0000000004E1A000-memory.dmpFilesize
40KB
-
memory/2096-123-0x0000000000000000-mapping.dmp
-
memory/2096-132-0x0000000005090000-0x00000000050E6000-memory.dmpFilesize
344KB
-
memory/2144-476-0x0000000000000000-mapping.dmp
-
memory/2272-201-0x0000000000000000-mapping.dmp
-
memory/2704-215-0x0000000004D62000-0x0000000004D63000-memory.dmpFilesize
4KB
-
memory/2704-212-0x0000000008610000-0x000000000862C000-memory.dmpFilesize
112KB
-
memory/2704-209-0x0000000007FF0000-0x0000000008056000-memory.dmpFilesize
408KB
-
memory/2704-208-0x00000000078A0000-0x0000000007906000-memory.dmpFilesize
408KB
-
memory/2704-207-0x0000000007800000-0x0000000007822000-memory.dmpFilesize
136KB
-
memory/2704-206-0x0000000007950000-0x0000000007F78000-memory.dmpFilesize
6.2MB
-
memory/2704-205-0x0000000004DB0000-0x0000000004DE6000-memory.dmpFilesize
216KB
-
memory/2704-204-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2704-203-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2704-202-0x0000000000000000-mapping.dmp
-
memory/2704-217-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2704-210-0x0000000008230000-0x0000000008580000-memory.dmpFilesize
3.3MB
-
memory/2704-216-0x0000000008940000-0x00000000089B6000-memory.dmpFilesize
472KB
-
memory/2704-214-0x0000000008B70000-0x0000000008BBB000-memory.dmpFilesize
300KB
-
memory/2704-213-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/2968-326-0x0000000000000000-mapping.dmp
-
memory/3140-133-0x0000000000000000-mapping.dmp
-
memory/3140-138-0x0000000000560000-0x000000000119E000-memory.dmpFilesize
12.2MB
-
memory/3140-162-0x000000001BD54000-0x000000001BD55000-memory.dmpFilesize
4KB
-
memory/3140-161-0x000000001BD52000-0x000000001BD54000-memory.dmpFilesize
8KB
-
memory/3140-140-0x000000001BD50000-0x000000001BD52000-memory.dmpFilesize
8KB
-
memory/3140-158-0x000000001F3D0000-0x000000002033E000-memory.dmpFilesize
15.4MB
-
memory/4052-122-0x0000000005DB0000-0x00000000062AE000-memory.dmpFilesize
5.0MB
-
memory/4052-119-0x0000000005E50000-0x0000000005EE2000-memory.dmpFilesize
584KB
-
memory/4052-116-0x0000000000630000-0x00000000013CA000-memory.dmpFilesize
13.6MB
-
memory/4052-121-0x00000000060B0000-0x0000000006106000-memory.dmpFilesize
344KB
-
memory/4052-117-0x0000000005D00000-0x0000000005D9C000-memory.dmpFilesize
624KB
-
memory/4052-118-0x00000000062B0000-0x00000000067AE000-memory.dmpFilesize
5.0MB
-
memory/4052-120-0x0000000005DC0000-0x0000000005DCA000-memory.dmpFilesize
40KB
-
memory/4052-115-0x0000000000630000-0x00000000013CA000-memory.dmpFilesize
13.6MB
-
memory/4060-222-0x0000000006D00000-0x0000000006D36000-memory.dmpFilesize
216KB
-
memory/4060-233-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/4060-219-0x0000000000000000-mapping.dmp
-
memory/4060-220-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/4060-221-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/4212-136-0x0000000000000000-mapping.dmp
-
memory/4300-157-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/4300-147-0x0000000000000000-mapping.dmp
-
memory/4304-477-0x0000000000000000-mapping.dmp
-
memory/4316-144-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/4316-151-0x00000000076B0000-0x00000000076B1000-memory.dmpFilesize
4KB
-
memory/4316-155-0x0000000007B60000-0x0000000007BC6000-memory.dmpFilesize
408KB
-
memory/4316-164-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/4316-163-0x0000000008AC0000-0x0000000008B36000-memory.dmpFilesize
472KB
-
memory/4316-160-0x0000000008840000-0x000000000888B000-memory.dmpFilesize
300KB
-
memory/4316-153-0x00000000079E0000-0x0000000007A02000-memory.dmpFilesize
136KB
-
memory/4316-152-0x00000000076B2000-0x00000000076B3000-memory.dmpFilesize
4KB
-
memory/4316-150-0x0000000007CF0000-0x0000000008318000-memory.dmpFilesize
6.2MB
-
memory/4316-154-0x0000000007A80000-0x0000000007AE6000-memory.dmpFilesize
408KB
-
memory/4316-146-0x0000000004F50000-0x0000000004F86000-memory.dmpFilesize
216KB
-
memory/4316-159-0x0000000008320000-0x000000000833C000-memory.dmpFilesize
112KB
-
memory/4316-145-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/4316-156-0x0000000008350000-0x00000000086A0000-memory.dmpFilesize
3.3MB
-
memory/4316-143-0x0000000000000000-mapping.dmp
-
memory/4316-200-0x00000000076B4000-0x00000000076B6000-memory.dmpFilesize
8KB
-
memory/4316-199-0x00000000076B3000-0x00000000076B4000-memory.dmpFilesize
4KB
-
memory/4316-197-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB