Analysis
-
max time kernel
129s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 10:59
Static task
static1
Behavioral task
behavioral1
Sample
70BC.tmp.exe
Resource
win7
Behavioral task
behavioral2
Sample
70BC.tmp.exe
Resource
win10v200430
General
-
Target
70BC.tmp.exe
-
Size
676KB
-
MD5
07566fb66073abafbd438f08fa1c7245
-
SHA1
e73eed815412a3cb1929add64b3ba7639006eb2e
-
SHA256
6eb60af3c1f6688fee7286b384fd107552bdf95dc951101df4a1d4f861623134
-
SHA512
fd853360ba32b8f8c23fbda55b88fa66c802b53e33c169a8a4d1d87ba84e4895640a5ef3b341d67e3733e76c379598490167ad4ae486262eba5e2cf098d79f24
Malware Config
Extracted
C:\_readme.txt
helpmanager@mail.ch
restoremanager@airmail.cc
https://we.tl/t-q9ro1midUb
Signatures
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
70BC.tmp.exe70BC.tmp.exe5.execmd.exeupdatewin1.exeupdatewin1.exedescription pid process target process PID 1492 wrote to memory of 2120 1492 70BC.tmp.exe icacls.exe PID 1492 wrote to memory of 2120 1492 70BC.tmp.exe icacls.exe PID 1492 wrote to memory of 2120 1492 70BC.tmp.exe icacls.exe PID 1492 wrote to memory of 2204 1492 70BC.tmp.exe 70BC.tmp.exe PID 1492 wrote to memory of 2204 1492 70BC.tmp.exe 70BC.tmp.exe PID 1492 wrote to memory of 2204 1492 70BC.tmp.exe 70BC.tmp.exe PID 2204 wrote to memory of 3776 2204 70BC.tmp.exe updatewin1.exe PID 2204 wrote to memory of 3776 2204 70BC.tmp.exe updatewin1.exe PID 2204 wrote to memory of 3776 2204 70BC.tmp.exe updatewin1.exe PID 2204 wrote to memory of 4024 2204 70BC.tmp.exe updatewin2.exe PID 2204 wrote to memory of 4024 2204 70BC.tmp.exe updatewin2.exe PID 2204 wrote to memory of 4024 2204 70BC.tmp.exe updatewin2.exe PID 2204 wrote to memory of 3944 2204 70BC.tmp.exe 5.exe PID 2204 wrote to memory of 3944 2204 70BC.tmp.exe 5.exe PID 2204 wrote to memory of 3944 2204 70BC.tmp.exe 5.exe PID 3944 wrote to memory of 1648 3944 5.exe cmd.exe PID 3944 wrote to memory of 1648 3944 5.exe cmd.exe PID 3944 wrote to memory of 1648 3944 5.exe cmd.exe PID 1648 wrote to memory of 1500 1648 cmd.exe taskkill.exe PID 1648 wrote to memory of 1500 1648 cmd.exe taskkill.exe PID 1648 wrote to memory of 1500 1648 cmd.exe taskkill.exe PID 3776 wrote to memory of 3568 3776 updatewin1.exe updatewin1.exe PID 3776 wrote to memory of 3568 3776 updatewin1.exe updatewin1.exe PID 3776 wrote to memory of 3568 3776 updatewin1.exe updatewin1.exe PID 3568 wrote to memory of 3436 3568 updatewin1.exe powershell.exe PID 3568 wrote to memory of 3436 3568 updatewin1.exe powershell.exe PID 3568 wrote to memory of 3436 3568 updatewin1.exe powershell.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1012 NOTEPAD.EXE -
Checks for installed software on the system 1 TTPs 28 IoCs
Processes:
5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName 5.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 5.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 5.exe -
Drops file in Drivers directory 1 IoCs
Processes:
updatewin2.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ip-api.com -
Modifies file permissions 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
70BC.tmp.exe70BC.tmp.exe5.exeWerFault.exe70BC.tmp.exepid process 1492 70BC.tmp.exe 1492 70BC.tmp.exe 2204 70BC.tmp.exe 2204 70BC.tmp.exe 3944 5.exe 3944 5.exe 3944 5.exe 3944 5.exe 3944 5.exe 3944 5.exe 3944 5.exe 3944 5.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 2996 WerFault.exe 1464 70BC.tmp.exe 1464 70BC.tmp.exe 2204 70BC.tmp.exe 2204 70BC.tmp.exe -
Executes dropped EXE 5 IoCs
Processes:
updatewin1.exeupdatewin2.exe5.exeupdatewin1.exe70BC.tmp.exepid process 3776 updatewin1.exe 4024 updatewin2.exe 3944 5.exe 3568 updatewin1.exe 1464 70BC.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
5.exepid process 3944 5.exe 3944 5.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskkill.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1500 taskkill.exe Token: SeRestorePrivilege 2996 WerFault.exe Token: SeBackupPrivilege 2996 WerFault.exe Token: SeDebugPrivilege 2996 WerFault.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1500 taskkill.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
70BC.tmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E 70BC.tmp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd 70BC.tmp.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2996 3436 WerFault.exe powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
70BC.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\\70BC.tmp.exe\" --AutoStart" 70BC.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Adds Run entry to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe"C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe"C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe" --Admin4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 6686⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Program crash
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe"C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe"C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe"3⤵
- Suspicious use of WriteProcessMemory
- Checks for installed software on the system
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exeC:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe --Task1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
-
C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe
-
C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe
-
C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe
-
C:\_readme.txt
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dll
-
memory/1464-297-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/1492-1-0x0000000001280000-0x0000000001281000-memory.dmpFilesize
4KB
-
memory/1500-242-0x0000000000000000-mapping.dmp
-
memory/1648-241-0x0000000000000000-mapping.dmp
-
memory/2120-2-0x0000000000000000-mapping.dmp
-
memory/2204-298-0x0000000003AF0000-0x0000000003AF1000-memory.dmpFilesize
4KB
-
memory/2204-300-0x0000000003AF0000-0x0000000003AF1000-memory.dmpFilesize
4KB
-
memory/2204-4-0x0000000000000000-mapping.dmp
-
memory/2204-6-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/2204-299-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/2996-289-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/2996-281-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2996-290-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/2996-279-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2996-274-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2996-270-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2996-260-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2996-250-0x0000000004680000-0x0000000004681000-memory.dmpFilesize
4KB
-
memory/2996-251-0x0000000004680000-0x0000000004681000-memory.dmpFilesize
4KB
-
memory/2996-253-0x0000000004680000-0x0000000004681000-memory.dmpFilesize
4KB
-
memory/2996-261-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/3436-249-0x0000000000000000-mapping.dmp
-
memory/3436-285-0x0000000000000000-mapping.dmp
-
memory/3436-257-0x0000000000000000-mapping.dmp
-
memory/3436-258-0x0000000000000000-mapping.dmp
-
memory/3436-259-0x0000000000000000-mapping.dmp
-
memory/3436-255-0x0000000000000000-mapping.dmp
-
memory/3436-254-0x0000000000000000-mapping.dmp
-
memory/3436-256-0x0000000000000000-mapping.dmp
-
memory/3436-288-0x0000000000000000-mapping.dmp
-
memory/3436-286-0x0000000000000000-mapping.dmp
-
memory/3436-287-0x0000000000000000-mapping.dmp
-
memory/3436-283-0x0000000000000000-mapping.dmp
-
memory/3436-284-0x0000000000000000-mapping.dmp
-
memory/3568-248-0x00000000004D4000-0x00000000004D7000-memory.dmpFilesize
12KB
-
memory/3568-244-0x0000000000000000-mapping.dmp
-
memory/3568-246-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/3776-243-0x000000000048E000-0x000000000048F000-memory.dmpFilesize
4KB
-
memory/3776-12-0x0000000002000000-0x0000000002001000-memory.dmpFilesize
4KB
-
memory/3776-9-0x0000000000000000-mapping.dmp
-
memory/3944-21-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/3944-20-0x0000000000F25000-0x0000000000F26000-memory.dmpFilesize
4KB
-
memory/3944-17-0x0000000000000000-mapping.dmp
-
memory/4024-247-0x000000000065E000-0x000000000065F000-memory.dmpFilesize
4KB
-
memory/4024-16-0x00000000020E0000-0x00000000020E1000-memory.dmpFilesize
4KB
-
memory/4024-13-0x0000000000000000-mapping.dmp