Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 04:05
Static task
static1
Behavioral task
behavioral1
Sample
Compile by raminhk 2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Compile by raminhk 2.exe
Resource
win10v20210408
General
-
Target
Compile by raminhk 2.exe
-
Size
7.9MB
-
MD5
fb9eb8850ee963bc69583f0227803aef
-
SHA1
a8c4277662b79d84ebec5f17b83153d364a478a7
-
SHA256
373dd8d9b31679fa1f46779be91f0d8e378af030bffe91de45d150c78e2cae53
-
SHA512
2d26b6f014ac2ca6b925ab5dfe259847869d3967754de91c8434f0a932bd2ec844403dfa2bc5b5c3442730c42500e2f0c45d321b416450012aae62128e74942c
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Processes:
resource yara_rule behavioral1/memory/296-59-0x00000000000C0000-0x0000000001350000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Compile by raminhk 2.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Infected = "27733ae1a9b708216a13fcedb542f32ad72ff9362067e21b3f174cf43357139e27733ae1a9b708216a13fcedb542f32a" Compile by raminhk 2.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\WindowsSecurityUpdate.exe /onboot" reg.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
Compile by raminhk 2.exedescription ioc process File created C:\Users\Public\Libraries\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Music\Sample Music\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Videos\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Favorites\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Documents\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Saved Games\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Desktop\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Contacts\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Links\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Favorites\Links\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Videos\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Downloads\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Desktop\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Downloads\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Music\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Searches\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Music\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Recorded TV\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Documents\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini Compile by raminhk 2.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 icanhazip.com 6 icanhazip.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327125585" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BCC8C71-AEEA-11EB-B1BA-7AE655052A65} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000001d968c892cd21bd8fbe976047d81b038e7ab5808f4d93a0393d09d1d8b003ab7000000000e8000000002000020000000937aa861b2c3d2b8eb6dca7504a18767989885393b91c262780b6858143d216620000000e4977795bb15002227cd07689f41cd44f2e00affd051e9980519c30a6ad827c7400000005665e62f512ed5c8cbe8ed64d3faccf56a8165c28e5ce6c94599d49a7f87fe81eb98b864c9deca7b8d2aac25bd3a55ecd927741163a9a5e5fbe28d6a2b5b4efb iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c017fcf0f642d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000001c02b48ea9ec3aa1bfb24b52fea3fc54b403bd98bb26fbf31004ad0d4c9f8be9000000000e8000000002000020000000c0c199ee5e0fc3f50c8f181c858384d62a1b421780453166b939f2c0ac9c7664900000005dc70719d5e3cfebd5883b3bc6435cdfaa1340f5da0061d245e775437329a80518266539c8b1dc6ce7dc6db9499eadf7f71f8436a35f5888dfc61f28a15eb872401e446cb6218dd82a28e5a3a0ad86f03217c531f602605c51cfa73f6a4373684a80dd5f85b0325d12e77b9c8d09bcf54fd49c45b328325a7afcd365b072bad9d88009a1a74d6bd035c45c029c99498540000000433f961a0ebf7ceab54d6623a3e1c58851c8d6104641759b9d787b55b6e149521fb4febcc95715c86e4c8668436bf21f7f997b7b0684ac1221d20b2b25547b46 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Compile by raminhk 2.exepid process 296 Compile by raminhk 2.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
tasklist.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2040 tasklist.exe Token: SeIncreaseQuotaPrivilege 568 WMIC.exe Token: SeSecurityPrivilege 568 WMIC.exe Token: SeTakeOwnershipPrivilege 568 WMIC.exe Token: SeLoadDriverPrivilege 568 WMIC.exe Token: SeSystemProfilePrivilege 568 WMIC.exe Token: SeSystemtimePrivilege 568 WMIC.exe Token: SeProfSingleProcessPrivilege 568 WMIC.exe Token: SeIncBasePriorityPrivilege 568 WMIC.exe Token: SeCreatePagefilePrivilege 568 WMIC.exe Token: SeBackupPrivilege 568 WMIC.exe Token: SeRestorePrivilege 568 WMIC.exe Token: SeShutdownPrivilege 568 WMIC.exe Token: SeDebugPrivilege 568 WMIC.exe Token: SeSystemEnvironmentPrivilege 568 WMIC.exe Token: SeRemoteShutdownPrivilege 568 WMIC.exe Token: SeUndockPrivilege 568 WMIC.exe Token: SeManageVolumePrivilege 568 WMIC.exe Token: 33 568 WMIC.exe Token: 34 568 WMIC.exe Token: 35 568 WMIC.exe Token: SeIncreaseQuotaPrivilege 568 WMIC.exe Token: SeSecurityPrivilege 568 WMIC.exe Token: SeTakeOwnershipPrivilege 568 WMIC.exe Token: SeLoadDriverPrivilege 568 WMIC.exe Token: SeSystemProfilePrivilege 568 WMIC.exe Token: SeSystemtimePrivilege 568 WMIC.exe Token: SeProfSingleProcessPrivilege 568 WMIC.exe Token: SeIncBasePriorityPrivilege 568 WMIC.exe Token: SeCreatePagefilePrivilege 568 WMIC.exe Token: SeBackupPrivilege 568 WMIC.exe Token: SeRestorePrivilege 568 WMIC.exe Token: SeShutdownPrivilege 568 WMIC.exe Token: SeDebugPrivilege 568 WMIC.exe Token: SeSystemEnvironmentPrivilege 568 WMIC.exe Token: SeRemoteShutdownPrivilege 568 WMIC.exe Token: SeUndockPrivilege 568 WMIC.exe Token: SeManageVolumePrivilege 568 WMIC.exe Token: 33 568 WMIC.exe Token: 34 568 WMIC.exe Token: 35 568 WMIC.exe Token: SeBackupPrivilege 1084 vssvc.exe Token: SeRestorePrivilege 1084 vssvc.exe Token: SeAuditPrivilege 1084 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 924 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 924 iexplore.exe 924 iexplore.exe 432 IEXPLORE.EXE 432 IEXPLORE.EXE 432 IEXPLORE.EXE 432 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Compile by raminhk 2.execmd.execmd.execmd.execmd.exeiexplore.exedescription pid process target process PID 296 wrote to memory of 2040 296 Compile by raminhk 2.exe tasklist.exe PID 296 wrote to memory of 2040 296 Compile by raminhk 2.exe tasklist.exe PID 296 wrote to memory of 2040 296 Compile by raminhk 2.exe tasklist.exe PID 296 wrote to memory of 1728 296 Compile by raminhk 2.exe cmd.exe PID 296 wrote to memory of 1728 296 Compile by raminhk 2.exe cmd.exe PID 296 wrote to memory of 1728 296 Compile by raminhk 2.exe cmd.exe PID 1728 wrote to memory of 268 1728 cmd.exe vssadmin.exe PID 1728 wrote to memory of 268 1728 cmd.exe vssadmin.exe PID 1728 wrote to memory of 268 1728 cmd.exe vssadmin.exe PID 1728 wrote to memory of 568 1728 cmd.exe WMIC.exe PID 1728 wrote to memory of 568 1728 cmd.exe WMIC.exe PID 1728 wrote to memory of 568 1728 cmd.exe WMIC.exe PID 296 wrote to memory of 1532 296 Compile by raminhk 2.exe cmd.exe PID 296 wrote to memory of 1532 296 Compile by raminhk 2.exe cmd.exe PID 296 wrote to memory of 1532 296 Compile by raminhk 2.exe cmd.exe PID 1532 wrote to memory of 564 1532 cmd.exe bcdedit.exe PID 1532 wrote to memory of 564 1532 cmd.exe bcdedit.exe PID 1532 wrote to memory of 564 1532 cmd.exe bcdedit.exe PID 296 wrote to memory of 1612 296 Compile by raminhk 2.exe cmd.exe PID 296 wrote to memory of 1612 296 Compile by raminhk 2.exe cmd.exe PID 296 wrote to memory of 1612 296 Compile by raminhk 2.exe cmd.exe PID 1612 wrote to memory of 788 1612 cmd.exe reg.exe PID 1612 wrote to memory of 788 1612 cmd.exe reg.exe PID 1612 wrote to memory of 788 1612 cmd.exe reg.exe PID 296 wrote to memory of 1568 296 Compile by raminhk 2.exe cmd.exe PID 296 wrote to memory of 1568 296 Compile by raminhk 2.exe cmd.exe PID 296 wrote to memory of 1568 296 Compile by raminhk 2.exe cmd.exe PID 1568 wrote to memory of 1588 1568 cmd.exe reg.exe PID 1568 wrote to memory of 1588 1568 cmd.exe reg.exe PID 1568 wrote to memory of 1588 1568 cmd.exe reg.exe PID 924 wrote to memory of 432 924 iexplore.exe IEXPLORE.EXE PID 924 wrote to memory of 432 924 iexplore.exe IEXPLORE.EXE PID 924 wrote to memory of 432 924 iexplore.exe IEXPLORE.EXE PID 924 wrote to memory of 432 924 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compile by raminhk 2.exe"C:\Users\Admin\AppData\Local\Temp\Compile by raminhk 2.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO csv2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadow /all /quiet3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\GoNNaCry.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:924 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2QCXZ7X4.txtMD5
f4913b971ed0be1f52aa9dd37164e97f
SHA163ada94eafd0413e0446bae27f55ecbcd963a845
SHA256049b9b971247f50871557c9379b3ce0c165f6ff7f097a2c5608463e31edc0e40
SHA51210bbbfa6de84bb0f5b553c3f7d339c4bb5b99dedc18bac6a926f16b7048ca3f5218db90c1abcb47a3cee442ce8e3c6a69f46ce837600cfcacbba10be8ec099ea
-
C:\Users\Admin\Desktop\GoNNaCry.htmlMD5
4c2c4c4a186b8e7d2b3cea3f9b0dee43
SHA16ffba3e641d9ae2b7f55501396dc40b180f3b0ee
SHA256b279af438f9e00780f4b7606d26a0c0a9e1afb216eee612f87502698359ed649
SHA51298821f6db91a983b0f5830b5c696c121a7cde51525060b60b7d92605328cb700f895c744b62f3116e24e6d0b757d397f69bf409c1759d7a31c098f525744b662
-
memory/268-63-0x0000000000000000-mapping.dmp
-
memory/296-59-0x00000000000C0000-0x0000000001350000-memory.dmpFilesize
18.6MB
-
memory/296-61-0x0000000077080000-0x0000000077082000-memory.dmpFilesize
8KB
-
memory/432-73-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/432-72-0x0000000000000000-mapping.dmp
-
memory/564-66-0x0000000000000000-mapping.dmp
-
memory/568-64-0x0000000000000000-mapping.dmp
-
memory/788-68-0x0000000000000000-mapping.dmp
-
memory/924-71-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmpFilesize
8KB
-
memory/1532-65-0x0000000000000000-mapping.dmp
-
memory/1568-69-0x0000000000000000-mapping.dmp
-
memory/1588-70-0x0000000000000000-mapping.dmp
-
memory/1612-67-0x0000000000000000-mapping.dmp
-
memory/1728-62-0x0000000000000000-mapping.dmp
-
memory/2040-60-0x0000000000000000-mapping.dmp