Analysis
-
max time kernel
602s -
max time network
431s -
platform
windows11_x64 -
resource
win11 -
submitted
12-08-2021 21:22
Static task
static1
Behavioral task
behavioral1
Sample
028d53f5224f9cc8c60bd953504f1efa.exe
Resource
win11
Behavioral task
behavioral2
Sample
Bot_Checker.exe
Resource
win11
Behavioral task
behavioral3
Sample
Uninstall.exe
Resource
win11
Behavioral task
behavioral4
Sample
Versium.exe
Resource
win11
Behavioral task
behavioral5
Sample
VersiumResearch32bit.exe
Resource
win11
Behavioral task
behavioral6
Sample
VersiumResearch64bit.exe
Resource
win11
Behavioral task
behavioral7
Sample
Versiumresearch.exe
Resource
win11
General
-
Target
VersiumResearch64bit.exe
-
Size
252KB
-
MD5
ee19bc8a2b6c6fd7c30037389457a4df
-
SHA1
e1fca1cc33574e59dec62763ee6e7de1a5198095
-
SHA256
76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0
-
SHA512
38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
SystemSettings.exedescription pid process target process PID 3048 created 3096 3048 SystemSettings.exe Explorer.EXE -
Executes dropped EXE 4 IoCs
Processes:
11111.exe11111.exe11111.exe11111.exepid process 1964 11111.exe 1268 11111.exe 4144 11111.exe 4504 11111.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\11111.exe upx C:\Users\Admin\AppData\Local\Temp\11111.exe upx C:\Users\Admin\AppData\Local\Temp\11111.exe upx C:\Users\Admin\AppData\Local\Temp\11111.exe upx C:\Users\Admin\AppData\Local\Temp\11111.exe upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\D: svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in Windows directory 11 IoCs
Processes:
SystemSettings.exeUserOOBEBroker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.override svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst svchost.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log SystemSettings.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SystemSettings.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID SystemSettings.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MoUsoCoreWorker.exeMoUsoCoreWorker.exeSystemSettings.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MoUsoCoreWorker.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MoUsoCoreWorker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier SystemSettings.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SystemSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SystemSettings.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS SystemSettings.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SystemSettings.exepid process 3048 SystemSettings.exe 3048 SystemSettings.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
svchost.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exedescription pid process Token: SeSystemEnvironmentPrivilege 4596 svchost.exe Token: SeShutdownPrivilege 4512 MoUsoCoreWorker.exe Token: SeCreatePagefilePrivilege 4512 MoUsoCoreWorker.exe Token: SeShutdownPrivilege 4512 MoUsoCoreWorker.exe Token: SeCreatePagefilePrivilege 4512 MoUsoCoreWorker.exe Token: SeShutdownPrivilege 4408 MoUsoCoreWorker.exe Token: SeCreatePagefilePrivilege 4408 MoUsoCoreWorker.exe Token: SeShutdownPrivilege 4408 MoUsoCoreWorker.exe Token: SeCreatePagefilePrivilege 4408 MoUsoCoreWorker.exe Token: SeShutdownPrivilege 4408 MoUsoCoreWorker.exe Token: SeCreatePagefilePrivilege 4408 MoUsoCoreWorker.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
SystemSettings.exeosk.exepid process 3048 SystemSettings.exe 4992 osk.exe 3048 SystemSettings.exe 4992 osk.exe 4992 osk.exe 4992 osk.exe 4992 osk.exe 4992 osk.exe 3048 SystemSettings.exe 3048 SystemSettings.exe 3048 SystemSettings.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
VersiumResearch64bit.exesvchost.exesvchost.exeSystemSettings.exeATBroker.exedescription pid process target process PID 4496 wrote to memory of 1964 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 1964 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 1964 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 1268 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 1268 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 1268 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 4144 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 4144 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 4144 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 4504 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 4504 4496 VersiumResearch64bit.exe 11111.exe PID 4496 wrote to memory of 4504 4496 VersiumResearch64bit.exe 11111.exe PID 1076 wrote to memory of 1056 1076 svchost.exe pcaui.exe PID 1076 wrote to memory of 1056 1076 svchost.exe pcaui.exe PID 2756 wrote to memory of 5004 2756 svchost.exe mpcmdrun.exe PID 2756 wrote to memory of 5004 2756 svchost.exe mpcmdrun.exe PID 3048 wrote to memory of 4028 3048 SystemSettings.exe ATBroker.exe PID 3048 wrote to memory of 4028 3048 SystemSettings.exe ATBroker.exe PID 3048 wrote to memory of 4028 3048 SystemSettings.exe ATBroker.exe PID 4028 wrote to memory of 4992 4028 ATBroker.exe osk.exe PID 4028 wrote to memory of 4992 4028 ATBroker.exe osk.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\VersiumResearch64bit.exe"C:\Users\Admin\AppData\Local\Temp\VersiumResearch64bit.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\System32\ATBroker.exeC:\Windows\System32\ATBroker.exe /start osk2⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\osk.exe"C:\Windows\System32\osk.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:4992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\System32\pcaui.exeC:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""2⤵PID:1056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:1524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable2⤵PID:5004
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵PID:3240
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:3716
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:5060
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOPrivate\UpdateStore\store.dbMD5
61b7e1e741b9da5e662eb1a13743e2a6
SHA1ca662ac60a6478177dce7739c983631f1afabbb1
SHA2568d2411487966a7906f3eb597574d05ed3aa39dda3d2ab43aaf168e8a48b9e96c
SHA512b7dbdde5c7edd37d9e7b5294fd44d7d1856e21966932429f86e6f78678f7a62fb6fa257bf6c3bfb3f57ebf19e7b168ca72b22f2084b02ea4c7109ebc63c70aac
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
9cf4803f539b6a0878817ae001351bf9
SHA1f015c3f043945373279ca1bc509c97c4998016d0
SHA256e6cde050dbb2c206b951b4e15509cdfee63c49505b183faa52696bdcfeb21bea
SHA5124ee11255ba9cbf76509ea078ca68111854c2440f0ced4c3761340e555613169f87f8b69ca0e8b9f35baf08833e9a73f091ff3d0426dd74aad1aa792a5730cf29
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Windows\Panther\UnattendGC\diagerr.xmlMD5
a1016423071a3b60559a284cf8f1eac6
SHA123c16221e153ccda4b26ab3dbdf5d6abf2cbe28d
SHA25666d330693a82ee50136be12b81dd915da5a9841a402d02db27dd9dc41112d8bb
SHA51236a4e05b1deca7e93a284a652b7ccf362f2b72a96e1113e88be957f67e51210cdd6fd03947a403071ff1dbbaf3ab24fc2834ab75a6492b54695aa22b691d715a
-
C:\Windows\Panther\UnattendGC\diagwrn.xmlMD5
a34fdd127f20a5810dbfc2666ff71cbc
SHA1d34f9d4d305e4fc53f9c9b6de00502e930dc3bf6
SHA256cfe4b22bb92de48c04bb6aa328989b9524b8dee900961005ad7588f4f81ac337
SHA51291647932dabd8dcc557c2870b53123bfdc4472179bbeb6a005d4a5968492253c962adf30649ed6131f35af16eff6f874d8c57a6886f6e7496e615bb319e407d8
-
memory/1056-164-0x0000000000000000-mapping.dmp
-
memory/1268-152-0x0000000000000000-mapping.dmp
-
memory/1964-148-0x0000000000000000-mapping.dmp
-
memory/3048-184-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-188-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-191-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-190-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-189-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-187-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-186-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-185-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-183-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-182-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/4028-223-0x0000000000000000-mapping.dmp
-
memory/4144-155-0x0000000000000000-mapping.dmp
-
memory/4484-166-0x00000135A45C0000-0x00000135A45C4000-memory.dmpFilesize
16KB
-
memory/4484-162-0x00000135A1EA0000-0x00000135A1EB0000-memory.dmpFilesize
64KB
-
memory/4484-169-0x00000135A42F0000-0x00000135A42F1000-memory.dmpFilesize
4KB
-
memory/4484-163-0x00000135A42D0000-0x00000135A42D4000-memory.dmpFilesize
16KB
-
memory/4484-168-0x00000135A4300000-0x00000135A4304000-memory.dmpFilesize
16KB
-
memory/4484-167-0x00000135A4580000-0x00000135A4581000-memory.dmpFilesize
4KB
-
memory/4484-171-0x00000135A1FD0000-0x00000135A1FD1000-memory.dmpFilesize
4KB
-
memory/4484-170-0x00000135A42F0000-0x00000135A42F4000-memory.dmpFilesize
16KB
-
memory/4484-161-0x00000135A1C60000-0x00000135A1C70000-memory.dmpFilesize
64KB
-
memory/4496-147-0x000002D8F5660000-0x000002D8F5792000-memory.dmpFilesize
1.2MB
-
memory/4496-146-0x000002D8F5460000-0x000002D8F552D000-memory.dmpFilesize
820KB
-
memory/4504-158-0x0000000000000000-mapping.dmp
-
memory/4992-224-0x0000000000000000-mapping.dmp
-
memory/5004-165-0x0000000000000000-mapping.dmp