Analysis
-
max time kernel
145s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-05-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe
Resource
win7v20210408
General
-
Target
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe
-
Size
406KB
-
MD5
43349e08c310568c4d852900a9de2124
-
SHA1
f7a8cb308703af8abee75ed61ee61843bf778873
-
SHA256
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f
-
SHA512
75e82f2218e02d21d5fbd50c5d6e3b75372738d57180e29800f89ce0d329bbe0696b2252e88c99c8147482dc42983cfcb395712f59bfcc81c159f27e8c6281c1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Crypted.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Crypted.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeCrypted.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Crypted.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Crypted.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Crypted.exemsdcsc.exepid process 1996 Crypted.exe 332 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Crypted.exe upx behavioral1/memory/1996-66-0x0000000002100000-0x000000000318E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Crypted.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral1/memory/552-81-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral1/memory/332-84-0x0000000002000000-0x000000000308E000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
Crypted.exepid process 1996 Crypted.exe -
Loads dropped DLL 2 IoCs
Processes:
Crypted.exepid process 1996 Crypted.exe 1996 Crypted.exe -
Processes:
Crypted.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Crypted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Crypted.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Crypted.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Processes:
Crypted.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msdcsc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 332 set thread context of 552 332 msdcsc.exe iexplore.exe -
Drops file in Windows directory 1 IoCs
Processes:
Crypted.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI Crypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Crypted.exemsdcsc.exepid process 1996 Crypted.exe 332 msdcsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 552 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Crypted.exemsdcsc.exedescription pid process Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeIncreaseQuotaPrivilege 1996 Crypted.exe Token: SeSecurityPrivilege 1996 Crypted.exe Token: SeTakeOwnershipPrivilege 1996 Crypted.exe Token: SeLoadDriverPrivilege 1996 Crypted.exe Token: SeSystemProfilePrivilege 1996 Crypted.exe Token: SeSystemtimePrivilege 1996 Crypted.exe Token: SeProfSingleProcessPrivilege 1996 Crypted.exe Token: SeIncBasePriorityPrivilege 1996 Crypted.exe Token: SeCreatePagefilePrivilege 1996 Crypted.exe Token: SeBackupPrivilege 1996 Crypted.exe Token: SeRestorePrivilege 1996 Crypted.exe Token: SeShutdownPrivilege 1996 Crypted.exe Token: SeDebugPrivilege 1996 Crypted.exe Token: SeSystemEnvironmentPrivilege 1996 Crypted.exe Token: SeChangeNotifyPrivilege 1996 Crypted.exe Token: SeRemoteShutdownPrivilege 1996 Crypted.exe Token: SeUndockPrivilege 1996 Crypted.exe Token: SeManageVolumePrivilege 1996 Crypted.exe Token: SeImpersonatePrivilege 1996 Crypted.exe Token: SeCreateGlobalPrivilege 1996 Crypted.exe Token: 33 1996 Crypted.exe Token: 34 1996 Crypted.exe Token: 35 1996 Crypted.exe Token: SeIncreaseQuotaPrivilege 332 msdcsc.exe Token: SeSecurityPrivilege 332 msdcsc.exe Token: SeTakeOwnershipPrivilege 332 msdcsc.exe Token: SeLoadDriverPrivilege 332 msdcsc.exe Token: SeSystemProfilePrivilege 332 msdcsc.exe Token: SeSystemtimePrivilege 332 msdcsc.exe Token: SeProfSingleProcessPrivilege 332 msdcsc.exe Token: SeIncBasePriorityPrivilege 332 msdcsc.exe Token: SeCreatePagefilePrivilege 332 msdcsc.exe Token: SeBackupPrivilege 332 msdcsc.exe Token: SeRestorePrivilege 332 msdcsc.exe Token: SeShutdownPrivilege 332 msdcsc.exe Token: SeDebugPrivilege 332 msdcsc.exe Token: SeSystemEnvironmentPrivilege 332 msdcsc.exe Token: SeChangeNotifyPrivilege 332 msdcsc.exe Token: SeRemoteShutdownPrivilege 332 msdcsc.exe Token: SeUndockPrivilege 332 msdcsc.exe Token: SeManageVolumePrivilege 332 msdcsc.exe Token: SeImpersonatePrivilege 332 msdcsc.exe Token: SeCreateGlobalPrivilege 332 msdcsc.exe Token: 33 332 msdcsc.exe Token: 34 332 msdcsc.exe Token: 35 332 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 552 iexplore.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exeCrypted.execmd.exemsdcsc.exedescription pid process target process PID 1092 wrote to memory of 1996 1092 2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe Crypted.exe PID 1092 wrote to memory of 1996 1092 2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe Crypted.exe PID 1092 wrote to memory of 1996 1092 2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe Crypted.exe PID 1092 wrote to memory of 1996 1092 2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe Crypted.exe PID 1996 wrote to memory of 1124 1996 Crypted.exe taskhost.exe PID 1996 wrote to memory of 1184 1996 Crypted.exe Dwm.exe PID 1996 wrote to memory of 1268 1996 Crypted.exe Explorer.EXE PID 1996 wrote to memory of 616 1996 Crypted.exe cmd.exe PID 1996 wrote to memory of 616 1996 Crypted.exe cmd.exe PID 1996 wrote to memory of 616 1996 Crypted.exe cmd.exe PID 1996 wrote to memory of 616 1996 Crypted.exe cmd.exe PID 1996 wrote to memory of 332 1996 Crypted.exe msdcsc.exe PID 1996 wrote to memory of 332 1996 Crypted.exe msdcsc.exe PID 1996 wrote to memory of 332 1996 Crypted.exe msdcsc.exe PID 1996 wrote to memory of 332 1996 Crypted.exe msdcsc.exe PID 616 wrote to memory of 1072 616 cmd.exe attrib.exe PID 616 wrote to memory of 1072 616 cmd.exe attrib.exe PID 616 wrote to memory of 1072 616 cmd.exe attrib.exe PID 616 wrote to memory of 1072 616 cmd.exe attrib.exe PID 332 wrote to memory of 1124 332 msdcsc.exe taskhost.exe PID 332 wrote to memory of 1184 332 msdcsc.exe Dwm.exe PID 332 wrote to memory of 1268 332 msdcsc.exe Explorer.EXE PID 332 wrote to memory of 616 332 msdcsc.exe cmd.exe PID 332 wrote to memory of 616 332 msdcsc.exe cmd.exe PID 332 wrote to memory of 320 332 msdcsc.exe conhost.exe PID 332 wrote to memory of 1072 332 msdcsc.exe attrib.exe PID 332 wrote to memory of 1072 332 msdcsc.exe attrib.exe PID 332 wrote to memory of 552 332 msdcsc.exe iexplore.exe PID 332 wrote to memory of 552 332 msdcsc.exe iexplore.exe PID 332 wrote to memory of 552 332 msdcsc.exe iexplore.exe PID 332 wrote to memory of 552 332 msdcsc.exe iexplore.exe PID 332 wrote to memory of 552 332 msdcsc.exe iexplore.exe PID 332 wrote to memory of 552 332 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
Crypted.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msdcsc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe"C:\Users\Admin\AppData\Local\Temp\2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Views/modifies file attributes
PID:1072 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:332 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:552
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1447369961986230383198416077114096609971844441259-588605278-1137860248-487365046"1⤵PID:320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batMD5
b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Windows\SYSTEM.INIMD5
b3322adf5e35ddfde9c26de7f98c991d
SHA1922672760e86113453ad072ad98ad94736b2d17b
SHA25681f147ad1c11518fab13ec19b55dbd1606b208f3cf6ac584095a05eaf0b6e2ec
SHA512799491d8adb699d4961d87aeefb24a178d795e70fe6e0a0e15a8bcd25c553ceb0ca33d38ee9c9ec96aadef9be3fd2ea11fdef4162e6cf272a573076b4dc41598
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
memory/332-89-0x0000000001E90000-0x0000000001E91000-memory.dmpFilesize
4KB
-
memory/332-87-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/332-84-0x0000000002000000-0x000000000308E000-memory.dmpFilesize
16.6MB
-
memory/332-74-0x0000000000000000-mapping.dmp
-
memory/552-81-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/552-82-0x00000000004C69D0-mapping.dmp
-
memory/616-86-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/616-85-0x0000000000130000-0x0000000000137000-memory.dmpFilesize
28KB
-
memory/616-71-0x0000000000000000-mapping.dmp
-
memory/1072-78-0x0000000000000000-mapping.dmp
-
memory/1092-65-0x0000000001D95000-0x0000000001D96000-memory.dmpFilesize
4KB
-
memory/1092-59-0x0000000001D70000-0x0000000001D72000-memory.dmpFilesize
8KB
-
memory/1092-61-0x0000000001D76000-0x0000000001D95000-memory.dmpFilesize
124KB
-
memory/1092-60-0x000007FEF25E0000-0x000007FEF3676000-memory.dmpFilesize
16.6MB
-
memory/1996-66-0x0000000002100000-0x000000000318E000-memory.dmpFilesize
16.6MB
-
memory/1996-64-0x0000000075AA1000-0x0000000075AA3000-memory.dmpFilesize
8KB
-
memory/1996-67-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1996-62-0x0000000000000000-mapping.dmp
-
memory/1996-68-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1996-69-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB