Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 19:42
General
-
Target
51b18e70a20148aac8b4a7dcc35dc0fbea56f618c268c3263a73c2d7930f242c.exe
-
Size
3.1MB
-
MD5
a8a946ab8b01f067b80e93ebaf1a6752
-
SHA1
39322050bbd3ac2c8455bbe6a3495e48db505605
-
SHA256
51b18e70a20148aac8b4a7dcc35dc0fbea56f618c268c3263a73c2d7930f242c
-
SHA512
8b79073fff6f062454b6e2c00a2992b6d2204a71371eb9c6bd22072056c246ecbd4d17dd24e0bb929f626a02b9d9b1a96231c0abcf61af8799d36da7602517b5
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\51b18e70a20148aac8b4a7dcc35dc0fbea56f618c268c3263a73c2d7930f242c.exe"C:\Users\Admin\AppData\Local\Temp\51b18e70a20148aac8b4a7dcc35dc0fbea56f618c268c3263a73c2d7930f242c.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\fl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dascHost" /tr '"C:\Windows\system32\dascHost.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dascHost" /tr '"C:\Windows\system32\dascHost.exe"'6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\dascHost.exe"C:\Windows\system32\dascHost.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\dascHost.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\dascHost.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dascHost" /tr '"C:\Windows\system32\dascHost.exe"' & exit8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dascHost" /tr '"C:\Windows\system32\dascHost.exe"'9⤵
- Creates scheduled task(s)
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 39⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a1dabde7f5a9a509a357b47ae42e1691
SHA18027f69b39473907c7ea5be929d8d3f412542051
SHA2565eac53763ef1b20f75acae4040c645d99ae17ae1ba55856101de8d48f50d5461
SHA512ce68838e0a1601dacd4551fe99d2c71c3d336734a415b370a13637aaedef19766bb7bca52adef366476b13e4aa1ed396954463fcdedb95c8a55a54ce472330ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a85bd0cf7aa7303dff1784bfcccb69ef
SHA1c5c1007eca15d49d158bc76e6ca710c77f7be89f
SHA256aad18ccb07901a68d33de38bb6b8b7af4e27ff4c5756da3cf8379f4a9572bb70
SHA512aba5d9fae6af45c31d069a111bd47ea49c438166afb3b6c266310a4167b1eb8feb6a093f6eb6907c43fca6aae774a9eb98ff37eac4ca4a9dac9f7e8f25884306
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0820253e467035fdee88730316f6ae7c
SHA1ddcac76f97f99713b12edb515905af398bf94ad9
SHA256a96fbe6e915821acd0720a2c9c2e7dacfa77eaee0305d263aa088e95db32a670
SHA512448b500b6168aacdbc41a164732f48decb0f4c14307f9a82b0e0ed95d0040900c405d97b08ebe01678b8ea99fa9997e454b27e9640d05988a4840e2e756b7f23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b4ed24219ead5e59f329416aea7a605a
SHA139d0965fd4dfd02fbe0868122454c1ee4ed96385
SHA256aa01658009b2d30f37b10564a57654db7b40cf162975b550fef66bed1a6e2faf
SHA5129898a32e2e5f38eec0038f666080ee2624c51afabe3407ac2636255901f0adeeab301569b24c2e617c37128ed427093b6772deaaa2d26bc4b7092a53edae3b6a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
016c2f5ec7c648e8355ee10d275d9bd1
SHA1184cba9cafc12260c44cc760f3367b5aa7881733
SHA256f0972e40814024b5114d233781f5c1d1ee5c10b4faee92c443fc0c7827df4329
SHA512ddf4034a5278230acce816f7de5fa5cf0e7c6aaf97935fc570f39ab1dc52e99e708cb8c4659656cf584c52125ffb8d38f6f78cfa541f8801561621e4f48e4fa4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
efb3f5290cb73e1cdcb31c5f5ad0157b
SHA194bb659aec811ccda9b9ac1d6451620333e807ac
SHA2569df0c0e70af1f8e95368f9a9a041fe049747f8ba227a9c4de0da23659d8692cb
SHA51241764cb13933718ca1104c29a6afbece6c132f6e1692d0776678c640dfd3308980af968e4dd48d05b12cb34b001cc015a80656bb2a716d792d239d54034d5dbc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8afff33de4f61a0e6adb82a525e780ea
SHA166205707197ddf6b8ec7c5006869f6f25a9d88e8
SHA25688216e320b5db8eb9b183fae0a54c0511dc80d76e316fb7ddbc739a18bad2fde
SHA5124e866d533692f3f69da2e19a750dc6165f4de70f7612a9cb29f3982fbb7162f1a99228eebb388565e2a508a7cf7c91657995ad31b85dcf7696904daa70ce7279
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
863c021ab6d46dcc5f5b8a2cdab814fd
SHA1fb1f5831b886e702a0a6e994188ce3e102935192
SHA25625fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992
SHA51223dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
863c021ab6d46dcc5f5b8a2cdab814fd
SHA1fb1f5831b886e702a0a6e994188ce3e102935192
SHA25625fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992
SHA51223dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeMD5
bc74a0b1eeeced279cd2088b27f8ffe2
SHA1308d89755701eb813436560393d37173c04dc646
SHA256692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2
SHA512f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeMD5
bc74a0b1eeeced279cd2088b27f8ffe2
SHA1308d89755701eb813436560393d37173c04dc646
SHA256692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2
SHA512f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeMD5
bc74a0b1eeeced279cd2088b27f8ffe2
SHA1308d89755701eb813436560393d37173c04dc646
SHA256692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2
SHA512f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeMD5
bc74a0b1eeeced279cd2088b27f8ffe2
SHA1308d89755701eb813436560393d37173c04dc646
SHA256692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2
SHA512f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e
-
C:\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
84d1e96c80f25a1a9256b468a9f8257f
SHA1b310707940a721bf8aaa310c141edb0df53cdc76
SHA25624409df45885818a92793183122b07298d66508d552d4d3be07108448e891ca1
SHA5123a36fe0486c4560b43314e67aa7bbb60f29343ef2e01e33f1c7ce74c81810609eec200f954d8c82313ed11a198343e092ef216b86725271f0fd06a0e9773d993
-
C:\Windows\System32\dascHost.exeMD5
863c021ab6d46dcc5f5b8a2cdab814fd
SHA1fb1f5831b886e702a0a6e994188ce3e102935192
SHA25625fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992
SHA51223dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exeMD5
84d1e96c80f25a1a9256b468a9f8257f
SHA1b310707940a721bf8aaa310c141edb0df53cdc76
SHA25624409df45885818a92793183122b07298d66508d552d4d3be07108448e891ca1
SHA5123a36fe0486c4560b43314e67aa7bbb60f29343ef2e01e33f1c7ce74c81810609eec200f954d8c82313ed11a198343e092ef216b86725271f0fd06a0e9773d993
-
C:\Windows\system32\dascHost.exeMD5
863c021ab6d46dcc5f5b8a2cdab814fd
SHA1fb1f5831b886e702a0a6e994188ce3e102935192
SHA25625fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992
SHA51223dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3
-
memory/1076-306-0x0000000000000000-mapping.dmp
-
memory/1076-312-0x000000001C640000-0x000000001C642000-memory.dmpFilesize
8KB
-
memory/1132-313-0x0000000000000000-mapping.dmp
-
memory/1136-148-0x000000001BFD0000-0x000000001BFD2000-memory.dmpFilesize
8KB
-
memory/1136-133-0x0000000000000000-mapping.dmp
-
memory/1136-136-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1176-138-0x0000000000000000-mapping.dmp
-
memory/1220-478-0x0000000000000000-mapping.dmp
-
memory/1300-392-0x0000000000000000-mapping.dmp
-
memory/1300-427-0x000001E31F806000-0x000001E31F808000-memory.dmpFilesize
8KB
-
memory/1300-425-0x000001E31F800000-0x000001E31F802000-memory.dmpFilesize
8KB
-
memory/1300-458-0x000001E31F808000-0x000001E31F809000-memory.dmpFilesize
4KB
-
memory/1300-426-0x000001E31F803000-0x000001E31F805000-memory.dmpFilesize
8KB
-
memory/1344-486-0x0000000000000000-mapping.dmp
-
memory/1852-303-0x0000000000000000-mapping.dmp
-
memory/1988-485-0x0000000000000000-mapping.dmp
-
memory/2088-484-0x0000000000000000-mapping.dmp
-
memory/2240-479-0x0000000000000000-mapping.dmp
-
memory/2240-482-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/2240-488-0x000000001C400000-0x000000001C402000-memory.dmpFilesize
8KB
-
memory/2608-424-0x000001D8E8D48000-0x000001D8E8D49000-memory.dmpFilesize
4KB
-
memory/2608-388-0x000001D8E8D46000-0x000001D8E8D48000-memory.dmpFilesize
8KB
-
memory/2608-353-0x0000000000000000-mapping.dmp
-
memory/2608-386-0x000001D8E8D40000-0x000001D8E8D42000-memory.dmpFilesize
8KB
-
memory/2608-387-0x000001D8E8D43000-0x000001D8E8D45000-memory.dmpFilesize
8KB
-
memory/2648-119-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/2648-118-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/2648-116-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/2648-126-0x0000000007410000-0x0000000007411000-memory.dmpFilesize
4KB
-
memory/2648-125-0x0000000006D10000-0x0000000006D11000-memory.dmpFilesize
4KB
-
memory/2648-127-0x0000000006EE0000-0x0000000006EE1000-memory.dmpFilesize
4KB
-
memory/2648-123-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/2648-124-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/2648-120-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/2648-128-0x0000000007020000-0x0000000007021000-memory.dmpFilesize
4KB
-
memory/2648-122-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/2648-129-0x0000000007E40000-0x0000000007E41000-memory.dmpFilesize
4KB
-
memory/2648-121-0x0000000077AB0000-0x0000000077C3E000-memory.dmpFilesize
1.6MB
-
memory/2648-132-0x0000000007940000-0x0000000007941000-memory.dmpFilesize
4KB
-
memory/2648-131-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/2648-130-0x00000000071E0000-0x00000000071E1000-memory.dmpFilesize
4KB
-
memory/2652-297-0x0000000000000000-mapping.dmp
-
memory/2652-305-0x0000000001310000-0x0000000001312000-memory.dmpFilesize
8KB
-
memory/2652-302-0x00000000012E0000-0x00000000012E1000-memory.dmpFilesize
4KB
-
memory/2652-300-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/2664-216-0x000001C065A68000-0x000001C065A69000-memory.dmpFilesize
4KB
-
memory/2664-177-0x0000000000000000-mapping.dmp
-
memory/2664-214-0x000001C065A63000-0x000001C065A65000-memory.dmpFilesize
8KB
-
memory/2664-215-0x000001C065A66000-0x000001C065A68000-memory.dmpFilesize
8KB
-
memory/2664-213-0x000001C065A60000-0x000001C065A62000-memory.dmpFilesize
8KB
-
memory/2688-469-0x0000024786BE8000-0x0000024786BE9000-memory.dmpFilesize
4KB
-
memory/2688-460-0x0000024786BE0000-0x0000024786BE2000-memory.dmpFilesize
8KB
-
memory/2688-430-0x0000000000000000-mapping.dmp
-
memory/2688-464-0x0000024786BE6000-0x0000024786BE8000-memory.dmpFilesize
8KB
-
memory/2688-462-0x0000024786BE3000-0x0000024786BE5000-memory.dmpFilesize
8KB
-
memory/2704-315-0x0000000000000000-mapping.dmp
-
memory/2704-349-0x00000134A49E6000-0x00000134A49E8000-memory.dmpFilesize
8KB
-
memory/2704-348-0x00000134A49E3000-0x00000134A49E5000-memory.dmpFilesize
8KB
-
memory/2704-347-0x00000134A49E0000-0x00000134A49E2000-memory.dmpFilesize
8KB
-
memory/2704-385-0x00000134A49E8000-0x00000134A49E9000-memory.dmpFilesize
4KB
-
memory/2708-314-0x0000000000000000-mapping.dmp
-
memory/2720-487-0x0000000003420000-0x0000000003422000-memory.dmpFilesize
8KB
-
memory/2720-471-0x0000000000000000-mapping.dmp
-
memory/2744-470-0x0000000000000000-mapping.dmp
-
memory/2956-139-0x0000000000000000-mapping.dmp
-
memory/2956-147-0x000001E922E80000-0x000001E922E81000-memory.dmpFilesize
4KB
-
memory/2956-173-0x000001E908DF6000-0x000001E908DF8000-memory.dmpFilesize
8KB
-
memory/2956-150-0x000001E908DF3000-0x000001E908DF5000-memory.dmpFilesize
8KB
-
memory/2956-212-0x000001E908DF8000-0x000001E908DF9000-memory.dmpFilesize
4KB
-
memory/2956-144-0x000001E90AC80000-0x000001E90AC81000-memory.dmpFilesize
4KB
-
memory/2956-149-0x000001E908DF0000-0x000001E908DF2000-memory.dmpFilesize
8KB
-
memory/3244-253-0x000002B1FC1B8000-0x000002B1FC1B9000-memory.dmpFilesize
4KB
-
memory/3244-255-0x000002B1FC1B6000-0x000002B1FC1B8000-memory.dmpFilesize
8KB
-
memory/3244-252-0x000002B1FC1B0000-0x000002B1FC1B2000-memory.dmpFilesize
8KB
-
memory/3244-254-0x000002B1FC1B3000-0x000002B1FC1B5000-memory.dmpFilesize
8KB
-
memory/3244-218-0x0000000000000000-mapping.dmp
-
memory/3388-310-0x0000000000000000-mapping.dmp
-
memory/3496-304-0x0000000000000000-mapping.dmp
-
memory/3824-296-0x0000000000000000-mapping.dmp
-
memory/4076-289-0x000001D622150000-0x000001D622152000-memory.dmpFilesize
8KB
-
memory/4076-257-0x0000000000000000-mapping.dmp
-
memory/4076-290-0x000001D622153000-0x000001D622155000-memory.dmpFilesize
8KB
-
memory/4076-291-0x000001D622156000-0x000001D622158000-memory.dmpFilesize
8KB
-
memory/4076-295-0x000001D622158000-0x000001D622159000-memory.dmpFilesize
4KB