Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
24-06-2024 06:09
General
-
Target
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
-
Size
38.8MB
-
MD5
de78f05822b58389a08df867280df451
-
SHA1
d27954678d26afb60dd51750f69520a79bf8b997
-
SHA256
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1
-
SHA512
8374e56d7d3e8ced16e15cd8c34e7059feacb94964b4a50c22cbf6d3045f2c52119d0393f218d0d4b445afa6ce12f607c85b09b82859275d81ebc91880ebe5d2
-
SSDEEP
786432:DCyIg99ycT/7t7OB2K4oX5Znw0e7s0sjgTTb2:DCxg99yaTt7G2K4opd3e7s0sjy
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Executes dropped EXE 5 IoCs
-
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 20 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
-
Kills process with taskkill 8 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 55 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-3d4366d74ed14ccd\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-3d4366d74ed14ccd\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winsvc.exe"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-3d4366d74ed14ccd\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"5⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/05⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."5⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start winsvc5⤵
- Launches sc.exe
-
C:\Windows\system32\winsvc.exeC:\Windows\system32\winsvc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\WINDOWS\SYSTEM32\WINCFG.EXE"C:\WINDOWS\SYSTEM32\WINCFG.EXE"2⤵
- Executes dropped EXE
-
C:\WINDOWS\SYSTEM32\WINNET.EXE"C:\WINDOWS\SYSTEM32\WINNET.EXE" "--datadir=C:\Windows\system32\data" "--precomputation.elgamal=false" "--persist.profiles=false" "--persist.addressbook=false" "--cpuext.aesni" "--cpuext.avx" "--ipv4" "--ipv6" "--bandwidth=X" "--share=100" "--floodfill" "--nat" "--upnp.enabled=true" "--upnp.name=Microsoft" "--insomnia" "--nettime.enabled=true" "--nettime.ntpsyncinterval=1" "--sam.enabled=true" "--sam.singlethread=false" "--http.enabled=false" "--bob.enabled=false" "--httpproxy.enabled=false" "--socksproxy.enabled=false" "--i2cp.enabled=false" "--i2pcontrol.enabled=false" "--loglevel=none" "--log=stdout"2⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5f33xjp0.rlt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-3d4366d74ed14ccd\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exeFilesize
42.5MB
MD518c3c899c9a4b44417d8153a948ae5ca
SHA18560c64c60ce15cb849b031d0690793e8b8793ec
SHA25601e5fb6db31037b5e6f6ac1839d556c806b3fbdb31c2b4f5a7c19734e5420c70
SHA512d058c166ca467978ce69b5a7ae16bd85c190ff9de562c020214c81e255e1ea0cecd132683d38302ac1cdb8f1399d89dd85d33fdf3b5a243812dd510fb1556cf4
-
C:\WINDOWS\SYSTEM32\WINCFG.EXEFilesize
34.7MB
MD5b969b295f08994b53015e7b0807ed43f
SHA1e67a88f291df370105130dbe28e4798a8a8906ae
SHA256513db022bfe45ca351ca8eb72b22389703b0d4932a64d144d00d616d89c24b83
SHA5123fc4577ad19deeb5a39691ff58e4190dd3b1447a308cbddb8193301605e124ed7a59c91a63007fc9a04d46da2b7bb50d992a7a5ad50d2b9723252c9f687e7a7b
-
C:\Windows\System32\data\router.infoFilesize
931B
MD5aeee3f9f4c2c12e2fb437033052c11a6
SHA1c2ae6162317b8186e9d64a43a105628860899c00
SHA2569df2351b3616bdcb2acb4157ff096c87eb383f8cb0a38ab8f98e798032815685
SHA512714d85bf5f81f489248e9a7e2d866b109a5f5f0f4e9c925a2d50fc9b09162fd1c3a9253703c4d97b19bde4c00e0e0438a2367684307e00ffd5ba4f3d26e1eebe
-
C:\Windows\System32\winnet.exeFilesize
9.1MB
MD52fdbf4ba6ab24cf44aa0cc08cd77ca66
SHA1df5e034ba45a932b9f5d3ed7adc4a71e0b376984
SHA256fcd362e0632b35dad13a87f09ea6da4d07fa89516f42d64236d2cc3e3b2b725b
SHA51281d73f7540ede7337922dc18fc6b110c87f621bc0349c3fa17f50d1cb924b0d9b30a4a772b2d548238b65a1be43d458f1991320e7308e608c6cf40ccc3e59a51
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5dbbd2d4458d7e8094846420da595dfc3
SHA1267cb47b904f14a519d2bd73abfdb30e1a06e1a6
SHA256e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4
SHA512480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f2dd68ab8e611f0143c6ad176f223ae9
SHA130f580175773f251a9572fe757de6eaef6844abc
SHA256f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7
SHA512f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dea88d224e264dee313090c0dedbbf24
SHA1925409182c6612dee899d394071711d8561f673c
SHA2560afb343316f4d06aaaf1902e5b8f96fe73799becb4d58451dd3c5cfdc5368781
SHA5127956beca6b65b6a2421a0a0075985e4694bb4ba1acf612095aa3849242c754b180f4442fe53e88866a52ac619e92b7e6daf5bc07de14649b631f26d6dc0d2a3f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD558b7e19a4c91ea198969357d8d14deb8
SHA1174fe9fa64e451a47b5562ae3e74e9b237425d1c
SHA256150774e04d20d1259512136d70d543bc1f5daf6f67ad9efb9d210f4a9f77e202
SHA5122dddbf4e48195a2e9094bf5706f60a1553e2c312a70f24ae51d2567c80c57dbc5cf3a813e5c2000adaaaeb321f22821338894a5ddc85978feafdb49e1ca4fffe
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD553fbb36e3de882ade26ea8b023b9a6ce
SHA1ff48acf3b1475f0933c950856f58aebb26ca4af9
SHA256c1ed4103218a9267eb4c0266f7a5d599950aa178523cc33357e49b727bb65130
SHA512a2536a0500b3075e9f87ea66fee73061d6660af246637d04cfb7d80d51ddaa35692682a08663c21db9533cecc0e140a6b610d8656cc1aa02d3969b5d2a83f2c9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53398bf1168a9f89d5b7512bb3ae38c3a
SHA1990bac740c4e9e69fcb57421aee5c17e719c0dbb
SHA2568f280b231e77e4aa53a85917f0604e4e31b0e8fe362d36e40c2396d5a7654e84
SHA512325a2294cdf61f988274f27587180a5433719647d2bd03c2b5c36d6be629cac338c0f2c0d9347b22aa70c10db13686f35e81d63c20eaae5df4cca710f123e700
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58b658f6a218b204d6021ca308313c203
SHA16559cb3390f7c6a9179cd75fd255147096d519df
SHA256285640f02e3c7b880dd412f08a8893505e05dc5e289f31f1e54723d649b4b63e
SHA5121817852faef10427d16af1409f9faad4b397bbaad1019bae941ce6a64f1f83c9146af95af05c931047709f03cf556e1859acee9663ba84630736491629ca7410
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51a2b75442e69ad677ca3192e41ffe669
SHA1896b3ddf45a57d2300db389ad039fe882bfc7636
SHA2564243ec9e4321cd754503d9fdf24fc9ea91c03e714682ae5f4407a1174dacf2e2
SHA51203fafb009b3539cd4a0077518b743b3261cc585d78a7011bf777e6e04fc5ec5f5be32a024d11e849e0f75a05680edf95e27fc47d1f4d434318c5ba84ce7aae19
-
memory/400-92-0x0000019A42EF0000-0x0000019A42EF8000-memory.dmpFilesize
32KB
-
memory/400-87-0x0000019A42BD0000-0x0000019A42C83000-memory.dmpFilesize
716KB
-
memory/400-93-0x0000019A42F20000-0x0000019A42F26000-memory.dmpFilesize
24KB
-
memory/400-91-0x0000019A42F40000-0x0000019A42F5A000-memory.dmpFilesize
104KB
-
memory/400-90-0x0000019A42EE0000-0x0000019A42EEA000-memory.dmpFilesize
40KB
-
memory/400-89-0x0000019A42F00000-0x0000019A42F1C000-memory.dmpFilesize
112KB
-
memory/400-88-0x0000019A42990000-0x0000019A4299A000-memory.dmpFilesize
40KB
-
memory/400-94-0x0000019A42F30000-0x0000019A42F3A000-memory.dmpFilesize
40KB
-
memory/400-86-0x0000019A42BB0000-0x0000019A42BCC000-memory.dmpFilesize
112KB
-
memory/2684-200-0x000001B26B920000-0x000001B26B92E000-memory.dmpFilesize
56KB
-
memory/2684-201-0x000001B26B980000-0x000001B26B99A000-memory.dmpFilesize
104KB
-
memory/2684-199-0x000001B26B600000-0x000001B26B6B3000-memory.dmpFilesize
716KB
-
memory/4460-65-0x00007FF7DA0D0000-0x00007FF7DA0E0000-memory.dmpFilesize
64KB
-
memory/4460-64-0x00007FF7DA0C0000-0x00007FF7DA0D0000-memory.dmpFilesize
64KB
-
memory/4704-17-0x0000027525490000-0x00000275254B2000-memory.dmpFilesize
136KB