Analysis
-
max time kernel
747s -
max time network
762s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
-
submitted
19-02-2024 15:26
Errors
General
-
Target
puugtqapzxao.exe
-
Size
769KB
-
MD5
0b8d6a7e6d09d1ef259d04a5580a5138
-
SHA1
34beda8270e99335cfd90907f5037250c8fa682e
-
SHA256
9b49cb61c6998d160a3fd448926df1f08277866e62999223ee7bc1455e023ad8
-
SHA512
be6bdef101cdf04f21dd9ddf1166866510b8a1b31ce08b4c962a8fb678f68864c54f729be53c22daaae8b1f6f643f5607fb5a882810f142152a78a016ccb4df5
-
SSDEEP
12288:sunmOayKUGPPVle8m4Ou1bypH3etxcvj8NfM3q9RNIwo:smayKg4OuC3iN03qD
Malware Config
Extracted
njrat
0.7d
Lammer
8.tcp.ngrok.io:19346
bca7344ec33c4f045ea133b6b48694e2
-
reg_key
bca7344ec33c4f045ea133b6b48694e2
-
splitter
|'|'|
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\puugtqapzxao.exe"C:\Users\Admin\AppData\Local\Temp\puugtqapzxao.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mzdwe2dt.3yw.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mzdwe2dt.3yw.exe"'3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 002⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shutdown.exeShutdown /s /f /t 003⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aeb055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ea13e190c322eaf6a89d894fc43e3f4c
SHA133a3ac4355ba6d14d9cdf5e19df328cb47097ee5
SHA256dcdceee337a503e7cc6b183aacc2fc5f94f43a817d594db2ad7a2687489d9b77
SHA5126c50d6e9ac6d2ab470977f3367646a4366cf9f68bd72093ed8acf27dbeebf771066fcc55febd6d45858e898b520d4580f35172f54ed4a1cf72005641a7715d4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5500f9929a55b1e72d1ede67ef8f0bea9
SHA11f466dfb41f62b7295590818afbbc280fc23c50c
SHA25632a9cb389ea918eb00bc20531f15e5f8e301b4812a25e0ff0d80e78f0dd7e84d
SHA512439e4637e780dc2e0e4fc498f01d57a41cc9d7ac4c218ab0bd95c306e2cb47fd75391ab0bac0b49efae57665ee0a0330d248626f71f55fa2da7aa78c032cf41d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD500ee33eb614372beb96b2240afdfd7af
SHA11014d6f7334dbfcb43cf763f2c26ee21228cd208
SHA256e7ec08f8889e1af96fe047ba2f536494934781c9536a8e57ca5c6521702ab5b1
SHA51269f46678fcabe9b0522fd9e2322bb19ebc42a4f5b1295aaa6ecc8c0784e5ae5e598587677258868d82b0fd325e668809a0a797c9f0f23979e296f8d9401ea041
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5da88074524a2b9647d6b8d3910b2fc0e
SHA1d8dafb926cd7e1bb5b9804e8c0bef0c3f956aa20
SHA256200804ebd0a9569ee1ae52076b15d191807c34c63dc325cd54486727543f7d3f
SHA5121dc3e02ae700217d920415ab9bd2c5008e22f13e759d4d8d46e975b83dcfa4672dccbf61b7eb0cbb94a80da74f79d784a00b091209cad8da57270ef7867a682b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f52a0d33bd231007139ce27d65a80a88
SHA11045cc36c98c03906bd4364e4cda762821ad706e
SHA25621ea3d0a2cc106fbd7be27c9aae1cdccfb0077f1e5556fc4f2338247f9683ed3
SHA51222efb20b18a42ab154cb40db5dfc712fc77ff87512223f73adf5c0e55d7da8a263ab598bd79588f9debc691457862378f630fd9827fa24c59fd8127ffedceaa8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56d06201bfb3522adb1874471e6620a43
SHA12d817f759f57ecc2157cb064b60598ce41f8d743
SHA256a6fca35793c3b5b8a08820195718edfe88171da78a2ae7b07ffccaf728fba2bd
SHA512caafda3be9f9877cd9010606ad75060c2e8803793293e5110c4660e7dcd7f218d3cdbdfa634c98022d04983e33e6eae527c45c68a6cd0d941bcb6ae279f761a3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56188fb06650486c62b0572b3c96978d4
SHA1ccba65542b637de3d44da444d6aae1556bd260de
SHA2565d2d3d14055a4b6f6138f5d9104ecf8f291a38561e2bd59fc55c42f284350378
SHA5126cb4d1d42abdd3cb26bd6b8e53f6c14040684d0a7cee4350568a5520f4fbc0df2329842bc3853d2c1fac6a1fb5d8d2e3d410d058f2c33b575c84b645e37a0602
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5061600348279114ba954ce262c62f1ea
SHA1e0020b70258bb4af6629316bb5c823d9f4127bbf
SHA2565b38f961b4b570df3c691e744a426cb2ec7135899b7d879d8734d5413590d024
SHA512cedfee04c722d58d295d6cb280bd7f2fcbd184bd3a4cd164c9eafa9e29310fffd86d49b7dcc425f0d3e68f209822d94e588684756006622834070894f072824f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5514999564a540d85974094c23a036e21
SHA1dea33138e8b59af0919fa9631248fcecd791b6fa
SHA25688175f19b6162996efce49671e7f2d543a7afcc63fca54ed0b6d717d3f2c5988
SHA512580479a6925c8b8b3c3732443153241192faf47305fd624bb0807af2bff234951c3a52692d89d7a5598827532a50534d8f65a9c44225332e6e6a9dc07cadc218
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2tvrqkp.yoo.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\Documents\Sub\xdwdClient.exeFilesize
769KB
MD50b8d6a7e6d09d1ef259d04a5580a5138
SHA134beda8270e99335cfd90907f5037250c8fa682e
SHA2569b49cb61c6998d160a3fd448926df1f08277866e62999223ee7bc1455e023ad8
SHA512be6bdef101cdf04f21dd9ddf1166866510b8a1b31ce08b4c962a8fb678f68864c54f729be53c22daaae8b1f6f643f5607fb5a882810f142152a78a016ccb4df5
-
C:\Windows\xdwd.dllFilesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
memory/684-1107-0x0000025AAE370000-0x0000025AAE3DC000-memory.dmpFilesize
432KB
-
memory/684-1384-0x0000025AAE370000-0x0000025AAE3DC000-memory.dmpFilesize
432KB
-
memory/684-775-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/1132-1045-0x00000159FB890000-0x00000159FB8FC000-memory.dmpFilesize
432KB
-
memory/1132-705-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/1132-1375-0x00000159FB890000-0x00000159FB8FC000-memory.dmpFilesize
432KB
-
memory/1132-672-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/1132-716-0x00000159FB6E0000-0x00000159FB6F0000-memory.dmpFilesize
64KB
-
memory/1476-1091-0x0000017371DC0000-0x0000017371E2C000-memory.dmpFilesize
432KB
-
memory/1476-1345-0x0000017371DC0000-0x0000017371E2C000-memory.dmpFilesize
432KB
-
memory/1476-744-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/1476-779-0x0000017371E90000-0x0000017371EA0000-memory.dmpFilesize
64KB
-
memory/1476-765-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/1768-668-0x0000024024FE0000-0x0000024024FF0000-memory.dmpFilesize
64KB
-
memory/1768-1320-0x00000240250D0000-0x000002402513C000-memory.dmpFilesize
432KB
-
memory/1768-662-0x0000024024FE0000-0x0000024024FF0000-memory.dmpFilesize
64KB
-
memory/1768-637-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/1768-634-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/1768-630-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/1768-999-0x00000240250D0000-0x000002402513C000-memory.dmpFilesize
432KB
-
memory/2168-698-0x000002044AB10000-0x000002044AB20000-memory.dmpFilesize
64KB
-
memory/2168-1020-0x0000020462F60000-0x0000020462FCC000-memory.dmpFilesize
432KB
-
memory/2168-694-0x000002044AB10000-0x000002044AB20000-memory.dmpFilesize
64KB
-
memory/2168-657-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/2168-635-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/2168-641-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/2168-1355-0x0000020462F60000-0x0000020462FCC000-memory.dmpFilesize
432KB
-
memory/2736-732-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/2736-735-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/2736-1075-0x000001DDF15B0000-0x000001DDF161C000-memory.dmpFilesize
432KB
-
memory/2736-1374-0x000001DDF15B0000-0x000001DDF161C000-memory.dmpFilesize
432KB
-
memory/2736-748-0x000001DDF1660000-0x000001DDF1670000-memory.dmpFilesize
64KB
-
memory/2736-746-0x000001DDF1660000-0x000001DDF1670000-memory.dmpFilesize
64KB
-
memory/2736-731-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/2824-1097-0x000002324A0F0000-0x000002324A15C000-memory.dmpFilesize
432KB
-
memory/2824-1392-0x000002324A0F0000-0x000002324A15C000-memory.dmpFilesize
432KB
-
memory/2824-767-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/2824-766-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/2864-711-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/2864-1408-0x0000026CBFF00000-0x0000026CBFF6C000-memory.dmpFilesize
432KB
-
memory/2864-1038-0x0000026CBFF00000-0x0000026CBFF6C000-memory.dmpFilesize
432KB
-
memory/2864-718-0x0000026CBFEC0000-0x0000026CBFED0000-memory.dmpFilesize
64KB
-
memory/2864-680-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/2932-750-0x00000269F5790000-0x00000269F57A0000-memory.dmpFilesize
64KB
-
memory/2932-734-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/2932-1083-0x00000269F5710000-0x00000269F577C000-memory.dmpFilesize
432KB
-
memory/2932-1400-0x00000269F5710000-0x00000269F577C000-memory.dmpFilesize
432KB
-
memory/2932-760-0x00000269F5790000-0x00000269F57A0000-memory.dmpFilesize
64KB
-
memory/3272-4190-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3872-739-0x00000141F8370000-0x00000141F8380000-memory.dmpFilesize
64KB
-
memory/3872-1063-0x00000141F83B0000-0x00000141F841C000-memory.dmpFilesize
432KB
-
memory/3872-726-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/3872-1391-0x00000141F83B0000-0x00000141F841C000-memory.dmpFilesize
432KB
-
memory/3872-741-0x00000141F8370000-0x00000141F8380000-memory.dmpFilesize
64KB
-
memory/3872-733-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/4260-728-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/4260-1413-0x000001AEF3100000-0x000001AEF316C000-memory.dmpFilesize
432KB
-
memory/4260-723-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4260-721-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4260-738-0x000001AEF30F0000-0x000001AEF3100000-memory.dmpFilesize
64KB
-
memory/4260-737-0x000001AEF30F0000-0x000001AEF3100000-memory.dmpFilesize
64KB
-
memory/4260-1056-0x000001AEF3100000-0x000001AEF316C000-memory.dmpFilesize
432KB
-
memory/4348-585-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/4348-581-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4348-628-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4348-588-0x0000016A981E0000-0x0000016A98202000-memory.dmpFilesize
136KB
-
memory/4348-629-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/4348-587-0x0000016AFF3F0000-0x0000016AFF400000-memory.dmpFilesize
64KB
-
memory/4348-582-0x00007FFC2F680000-0x00007FFC2F681000-memory.dmpFilesize
4KB
-
memory/4348-603-0x0000016AFF3F0000-0x0000016AFF400000-memory.dmpFilesize
64KB
-
memory/4348-578-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4348-627-0x0000016A98210000-0x0000016A9827C000-memory.dmpFilesize
432KB
-
memory/4348-586-0x0000016AFF3F0000-0x0000016AFF400000-memory.dmpFilesize
64KB
-
memory/4496-36-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4496-35-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4496-37-0x00007FFC2F730000-0x00007FFC2F731000-memory.dmpFilesize
4KB
-
memory/4496-38-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4532-647-0x00007FFC2F930000-0x00007FFC2FB0B000-memory.dmpFilesize
1.9MB
-
memory/4532-1366-0x000001C977B30000-0x000001C977B9C000-memory.dmpFilesize
432KB
-
memory/4532-691-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/4532-1031-0x000001C977B30000-0x000001C977B9C000-memory.dmpFilesize
432KB
-
memory/4532-713-0x000001C977470000-0x000001C977480000-memory.dmpFilesize
64KB
-
memory/5088-67-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB
-
memory/5088-180-0x000000001B7C0000-0x000000001B7D0000-memory.dmpFilesize
64KB
-
memory/5088-519-0x0000000000D20000-0x0000000000D96000-memory.dmpFilesize
472KB
-
memory/5088-520-0x0000000000C90000-0x0000000000C9A000-memory.dmpFilesize
40KB
-
memory/5088-521-0x0000000000CC0000-0x0000000000CDE000-memory.dmpFilesize
120KB
-
memory/5088-0-0x0000000000540000-0x0000000000606000-memory.dmpFilesize
792KB
-
memory/5088-18-0x000000001B7C0000-0x000000001B7D0000-memory.dmpFilesize
64KB
-
memory/5088-1-0x00007FFC12DF0000-0x00007FFC137DC000-memory.dmpFilesize
9.9MB