Analysis
-
max time kernel
147s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
covid21.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
covid21.exe
Resource
win10v20201028
General
-
Target
covid21.exe
-
Size
2.0MB
-
MD5
1a2e2d295e04f74437652dc9b8a2d03c
-
SHA1
e3565983ee402856c2cf4eec2ac6ff9636443fe9
-
SHA256
a078251c61a4f90bf60da47d99cea465be5d44057684d681fb3d94a20d2025bd
-
SHA512
7d5130ad41c4903aa66fc00b22bc3799ade4b6c3bb82db9aead43158aa03165159b59f8c16d8cf68fb297e69e6a13acc9708669d5916fe52b9254330c1f14df2
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\99B5.tmp\screenscrew.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\99B5.tmp\screenscrew.exe aspack_v212_v242 -
Executes dropped EXE 4 IoCs
Processes:
CLWCP.exePayloadGDI.exescreenscrew.exePayloadMBR.exepid process 856 CLWCP.exe 744 PayloadGDI.exe 3316 screenscrew.exe 2428 PayloadMBR.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
PayloadMBR.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run PayloadMBR.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\99B5.tmp\\PayloadMBR.exe" PayloadMBR.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
PayloadMBR.exedescription ioc process File opened for modification \??\PhysicalDrive0 PayloadMBR.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
CLWCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "c:\\covid21\\covid.bmp" CLWCP.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3828 2428 WerFault.exe PayloadMBR.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 15 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 3676 timeout.exe 4036 timeout.exe 2764 timeout.exe 1352 timeout.exe 636 timeout.exe 1240 timeout.exe 2328 timeout.exe 3176 timeout.exe 1984 timeout.exe 3696 timeout.exe 2192 timeout.exe 1064 timeout.exe 988 timeout.exe 3520 timeout.exe 2272 timeout.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
PayloadMBR.exeWerFault.exepid process 2428 PayloadMBR.exe 2428 PayloadMBR.exe 2428 PayloadMBR.exe 2428 PayloadMBR.exe 2428 PayloadMBR.exe 2428 PayloadMBR.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
PayloadMBR.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2428 PayloadMBR.exe Token: SeShutdownPrivilege 3828 WerFault.exe Token: SeRestorePrivilege 3828 WerFault.exe Token: SeBackupPrivilege 3828 WerFault.exe Token: SeDebugPrivilege 3828 WerFault.exe -
Suspicious use of WriteProcessMemory 102 IoCs
Processes:
covid21.execmd.exedescription pid process target process PID 880 wrote to memory of 3228 880 covid21.exe cmd.exe PID 880 wrote to memory of 3228 880 covid21.exe cmd.exe PID 880 wrote to memory of 3228 880 covid21.exe cmd.exe PID 3228 wrote to memory of 856 3228 cmd.exe CLWCP.exe PID 3228 wrote to memory of 856 3228 cmd.exe CLWCP.exe PID 3228 wrote to memory of 856 3228 cmd.exe CLWCP.exe PID 3228 wrote to memory of 1328 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 1328 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 1328 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 636 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 636 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 636 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 744 3228 cmd.exe PayloadGDI.exe PID 3228 wrote to memory of 744 3228 cmd.exe PayloadGDI.exe PID 3228 wrote to memory of 744 3228 cmd.exe PayloadGDI.exe PID 3228 wrote to memory of 3696 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3696 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3696 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3316 3228 cmd.exe screenscrew.exe PID 3228 wrote to memory of 3316 3228 cmd.exe screenscrew.exe PID 3228 wrote to memory of 3316 3228 cmd.exe screenscrew.exe PID 3228 wrote to memory of 3676 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3676 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3676 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 2244 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 2244 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 2244 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 1240 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 1240 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 1240 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3924 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3924 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3924 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 2328 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 2328 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 2328 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3596 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3596 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3596 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3176 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3176 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3176 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3356 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3356 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3356 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 2764 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 2764 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 2764 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3292 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3292 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3292 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 4036 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 4036 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 4036 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 1772 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 1772 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 1772 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 3520 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3520 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3520 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 2132 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 2132 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 2132 3228 cmd.exe WScript.exe PID 3228 wrote to memory of 2272 3228 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\covid21.exe"C:\Users\Admin\AppData\Local\Temp\covid21.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid21.bat" "2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\CLWCP.execlwcp c:\covid21\covid.bmp3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 5 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadGDI.exePayloadGDI.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 5 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\screenscrew.exescreenscrew.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 1 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 5 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid21.vbs"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /3 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadMBR.exePayloadMBR.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadMBR.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 5044⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadGDI.exeMD5
a7ce5bee03c197f0a99427c4b590f4a0
SHA114d8617c51947fb49b3aba7e9aece83e5094cf71
SHA2560c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852
SHA5127f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadGDI.exeMD5
a7ce5bee03c197f0a99427c4b590f4a0
SHA114d8617c51947fb49b3aba7e9aece83e5094cf71
SHA2560c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852
SHA5127f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadMBR.exeMD5
d917af256a1d20b4eac477cdb189367b
SHA16c2fa4648b16b89c4f5664f1c3490ec2022eb5dd
SHA256e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0
SHA512fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadMBR.exeMD5
d917af256a1d20b4eac477cdb189367b
SHA16c2fa4648b16b89c4f5664f1c3490ec2022eb5dd
SHA256e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0
SHA512fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbsMD5
f4de606815f3bd1bf38b83c91ac66c35
SHA1abfb1ed384daa10b71c333d9a67721666cbe50ac
SHA256aac0328f3782aefd5bb8a2df87b65dcc545a0f2cb4a0052f9068b53ba6d4e0d3
SHA5121c7124dd589b4d4f673780d3ba9c942dcb6dfb65a06a20998a69a04c6af493aa96061bc2ce32b8f12d9074330b37d4fd6c513eda3246a5e736c2c8a760d81327
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid.bmpMD5
cf4483270f71b38dcd27453333d0fd22
SHA17420b02927a46dc42de25944234bb02f6f9b4436
SHA2565c65ac5249bcd106af671a36da4320b6acafe633369dcd45f72e73c4529122e7
SHA5120ce1d66497f8c3863547d0c0131bda177e262ed7869f3047f6b56ce82c9e3308be1aa3438254bea2b4f2d0f712943a51e1e27394283afa70664bd81b2c6c69a4
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid.vbsMD5
a3716f222b9a4ef9484e95557780a858
SHA100e0a1b1a0b1d4f0a99db8ee8110daf177ffd902
SHA25611b7a39b5caf234d4f027868506fd75e859fa660e737efb95ee514c40e989ca4
SHA512645f033e27ab65874f1f435912ceb71ec17e52fc24b1e80c07f2bfab7ad6e78a573f4188faedf5a7db7050c19f754605e68b81e48464e7c1d34f964b140d2752
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid21.batMD5
cb71400420494f3dd91d5cd070b01b3f
SHA16fee86981e62ad8ac96ede3435d7f7e9b18c9932
SHA25625034dccdb96d86e3b797b7db7dd7786d74b51120196c44340a03b3291b3c9ac
SHA512f3b9dad00c9efbcadd721cf225ec910cc0d6a644e3a86050a3a33cd28152bb3c6f836adca8803ff5553eab461d67472a167c1b6c25efb779aaa60ceb4b9e6285
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid21.vbsMD5
87aaebe24d9cc38cb0357e9723cce915
SHA15c301a5165263fe382aefb758ff6494522b9d4f1
SHA2560aa36c0a57c3f2c57ee9d674cefccd86970c239233f571718d434472c0f6ffba
SHA512e5c905ead6f158b2908e0f802b9db99419088ec8a638753a875629c07a37748f6fba56e60d4712c113a5de1dbf730ff532b1b002af7262d0a96042851a6d4919
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\screenscrew.exeMD5
e87a04c270f98bb6b5677cc789d1ad1d
SHA18c14cb338e23d4a82f6310d13b36729e543ff0ca
SHA256e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338
SHA5128784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13
-
C:\Users\Admin\AppData\Local\Temp\99B5.tmp\screenscrew.exeMD5
e87a04c270f98bb6b5677cc789d1ad1d
SHA18c14cb338e23d4a82f6310d13b36729e543ff0ca
SHA256e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338
SHA5128784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13
-
memory/636-10-0x0000000000000000-mapping.dmp
-
memory/744-12-0x0000000000000000-mapping.dmp
-
memory/856-5-0x0000000000000000-mapping.dmp
-
memory/988-40-0x0000000000000000-mapping.dmp
-
memory/1000-39-0x0000000000000000-mapping.dmp
-
memory/1064-38-0x0000000000000000-mapping.dmp
-
memory/1240-21-0x0000000000000000-mapping.dmp
-
memory/1328-9-0x0000000000000000-mapping.dmp
-
memory/1352-42-0x0000000000000000-mapping.dmp
-
memory/1480-50-0x0000000000000000-mapping.dmp
-
memory/1772-31-0x0000000000000000-mapping.dmp
-
memory/1924-35-0x0000000000000000-mapping.dmp
-
memory/1984-44-0x0000000000000000-mapping.dmp
-
memory/2132-33-0x0000000000000000-mapping.dmp
-
memory/2192-36-0x0000000000000000-mapping.dmp
-
memory/2244-20-0x0000000000000000-mapping.dmp
-
memory/2272-34-0x0000000000000000-mapping.dmp
-
memory/2328-24-0x0000000000000000-mapping.dmp
-
memory/2428-46-0x0000000000000000-mapping.dmp
-
memory/2764-28-0x0000000000000000-mapping.dmp
-
memory/2928-43-0x0000000000000000-mapping.dmp
-
memory/3152-41-0x0000000000000000-mapping.dmp
-
memory/3176-26-0x0000000000000000-mapping.dmp
-
memory/3228-2-0x0000000000000000-mapping.dmp
-
memory/3292-29-0x0000000000000000-mapping.dmp
-
memory/3316-16-0x0000000000000000-mapping.dmp
-
memory/3356-27-0x0000000000000000-mapping.dmp
-
memory/3520-32-0x0000000000000000-mapping.dmp
-
memory/3596-25-0x0000000000000000-mapping.dmp
-
memory/3676-19-0x0000000000000000-mapping.dmp
-
memory/3696-15-0x0000000000000000-mapping.dmp
-
memory/3824-37-0x0000000000000000-mapping.dmp
-
memory/3828-51-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/3924-23-0x0000000000000000-mapping.dmp
-
memory/4036-30-0x0000000000000000-mapping.dmp