Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 21:24
Static task
static1
Behavioral task
behavioral1
Sample
Dmg~2345678765-09876789.cmd.exe
Resource
win7-en-20211208
General
-
Target
Dmg~2345678765-09876789.cmd.exe
-
Size
1.0MB
-
MD5
f175d0b6a0808bce473aa0ae47fa01b0
-
SHA1
8da7b1bc07922d24b5b73060814119b5db5cdea8
-
SHA256
c1a6565f3f81efca37159f4ed315623cc1defc395c738fba77d8c24d1f207cc6
-
SHA512
477d9e8597fd4aec7ba0167b8d2ddd8d3c049e4cd95ddc3b0b762f330aa6b6905a20325ec5e55b9622b652ee19856b96cdd647d512b825d8770d89e08099afe7
Malware Config
Extracted
nanocore
1.2.2.0
6262.hopto.org:6262
185.140.53.131:6262
7b578534-8b04-4a5d-9eb5-d375830cf45d
-
activate_away_mode
true
-
backup_connection_host
185.140.53.131
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-31T05:14:41.931016736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6262
-
default_group
6262
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7b578534-8b04-4a5d-9eb5-d375830cf45d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
6262.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
Dmg~2345678765-09876789.exeRegAsm.exeloppp.exeloppp.exepid process 3216 Dmg~2345678765-09876789.exe 380 RegAsm.exe 2384 loppp.exe 2700 loppp.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3620-121-0x0000000006360000-0x0000000006381000-memory.dmp agile_net behavioral2/memory/3216-139-0x00000000059C0000-0x0000000005EBE000-memory.dmp agile_net behavioral2/memory/3216-138-0x00000000059C0000-0x0000000005EBE000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeRegAsm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\keysopne = "C:\\Users\\Admin\\Documents\\Dmg~2345678765-09876789.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansvc.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Dmg~2345678765-09876789.exedescription pid process target process PID 3216 set thread context of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\WAN Service\wansvc.exe RegAsm.exe File opened for modification C:\Program Files (x86)\WAN Service\wansvc.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1328 schtasks.exe 1664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Dmg~2345678765-09876789.cmd.exeDmg~2345678765-09876789.exeRegAsm.exeloppp.exeloppp.exepid process 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3620 Dmg~2345678765-09876789.cmd.exe 3216 Dmg~2345678765-09876789.exe 3216 Dmg~2345678765-09876789.exe 3216 Dmg~2345678765-09876789.exe 3216 Dmg~2345678765-09876789.exe 380 RegAsm.exe 380 RegAsm.exe 380 RegAsm.exe 2384 loppp.exe 2700 loppp.exe 2700 loppp.exe 2700 loppp.exe 3216 Dmg~2345678765-09876789.exe 3216 Dmg~2345678765-09876789.exe 3216 Dmg~2345678765-09876789.exe 3216 Dmg~2345678765-09876789.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 380 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Dmg~2345678765-09876789.cmd.exeDmg~2345678765-09876789.exeRegAsm.exeloppp.exeloppp.exedescription pid process Token: SeDebugPrivilege 3620 Dmg~2345678765-09876789.cmd.exe Token: SeDebugPrivilege 3216 Dmg~2345678765-09876789.exe Token: SeDebugPrivilege 380 RegAsm.exe Token: SeDebugPrivilege 2384 loppp.exe Token: SeDebugPrivilege 2700 loppp.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
Dmg~2345678765-09876789.cmd.execmd.exeDmg~2345678765-09876789.exeRegAsm.exeloppp.exedescription pid process target process PID 3620 wrote to memory of 4036 3620 Dmg~2345678765-09876789.cmd.exe cmd.exe PID 3620 wrote to memory of 4036 3620 Dmg~2345678765-09876789.cmd.exe cmd.exe PID 3620 wrote to memory of 4036 3620 Dmg~2345678765-09876789.cmd.exe cmd.exe PID 4036 wrote to memory of 4240 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4240 4036 cmd.exe reg.exe PID 4036 wrote to memory of 4240 4036 cmd.exe reg.exe PID 3620 wrote to memory of 3216 3620 Dmg~2345678765-09876789.cmd.exe Dmg~2345678765-09876789.exe PID 3620 wrote to memory of 3216 3620 Dmg~2345678765-09876789.cmd.exe Dmg~2345678765-09876789.exe PID 3620 wrote to memory of 3216 3620 Dmg~2345678765-09876789.cmd.exe Dmg~2345678765-09876789.exe PID 3216 wrote to memory of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe PID 3216 wrote to memory of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe PID 3216 wrote to memory of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe PID 3216 wrote to memory of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe PID 3216 wrote to memory of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe PID 3216 wrote to memory of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe PID 3216 wrote to memory of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe PID 3216 wrote to memory of 380 3216 Dmg~2345678765-09876789.exe RegAsm.exe PID 380 wrote to memory of 1328 380 RegAsm.exe schtasks.exe PID 380 wrote to memory of 1328 380 RegAsm.exe schtasks.exe PID 380 wrote to memory of 1328 380 RegAsm.exe schtasks.exe PID 380 wrote to memory of 1664 380 RegAsm.exe schtasks.exe PID 380 wrote to memory of 1664 380 RegAsm.exe schtasks.exe PID 380 wrote to memory of 1664 380 RegAsm.exe schtasks.exe PID 3216 wrote to memory of 2384 3216 Dmg~2345678765-09876789.exe loppp.exe PID 3216 wrote to memory of 2384 3216 Dmg~2345678765-09876789.exe loppp.exe PID 3216 wrote to memory of 2384 3216 Dmg~2345678765-09876789.exe loppp.exe PID 2384 wrote to memory of 2700 2384 loppp.exe loppp.exe PID 2384 wrote to memory of 2700 2384 loppp.exe loppp.exe PID 2384 wrote to memory of 2700 2384 loppp.exe loppp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dmg~2345678765-09876789.cmd.exe"C:\Users\Admin\AppData\Local\Temp\Dmg~2345678765-09876789.cmd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "keysopne" /t REG_SZ /d "C:\Users\Admin\Documents\Dmg~2345678765-09876789.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "keysopne" /t REG_SZ /d "C:\Users\Admin\Documents\Dmg~2345678765-09876789.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\Documents\Dmg~2345678765-09876789.exe"C:\Users\Admin\Documents\Dmg~2345678765-09876789.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC31D.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC38B.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\loppp.exe"C:\Users\Admin\AppData\Local\Temp\loppp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loppp.exe"C:\Users\Admin\AppData\Local\Temp\loppp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\loppp.exe.logMD5
e555c48cb712a9597ecb55a60135d1f8
SHA12081c72d30c34ec3f61f9944545ecdaae11521f7
SHA256815c80df060afa8acf7640ca011735ef77c66666d03901e04a8767827d5da4e9
SHA51232129b5be15217e5400f1e7536270a703d62db60ebb06396b9d74703e6a0dcd2e78f7f42b2019093be1508a9310912f305b88de274a295c9135a4086cd8c8427
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\loppp.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\loppp.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\loppp.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\loppp.txtMD5
cb9060d384470e2e4e4cb17080594364
SHA15e46cb2ee73190914b321cabc77841208f8eb857
SHA256ddea80ce310f77c4d0ce1bec762c1125e9e6b4f19e22a59b5a027b450cf375f2
SHA512826a1923982e746b870324c14e4fc5a6c3b91532a323cbfebae878e3015fdb471aae1f627621eb5c58460e4437d766c297b5be3a2b08d97ade4dbc83576dabdb
-
C:\Users\Admin\AppData\Local\Temp\loppp.txtMD5
6255c47afb6eab1335fb88256792133f
SHA11ed13f292081ce22cd1a35d24f3f0334baccb647
SHA25608e021f5c4fb3917eb34fc43f01946ad425cae090103333767aa8aef43903310
SHA51209a1bd389661a6e434cbcd368beed68f734f132f57587b2cc0c780f3e004b9a621ae95b35af3a8d35c69a7fd6b79f94cacd0d74d8e3accfa766c0f334ab2e1a4
-
C:\Users\Admin\AppData\Local\Temp\loppp.txtMD5
6255c47afb6eab1335fb88256792133f
SHA11ed13f292081ce22cd1a35d24f3f0334baccb647
SHA25608e021f5c4fb3917eb34fc43f01946ad425cae090103333767aa8aef43903310
SHA51209a1bd389661a6e434cbcd368beed68f734f132f57587b2cc0c780f3e004b9a621ae95b35af3a8d35c69a7fd6b79f94cacd0d74d8e3accfa766c0f334ab2e1a4
-
C:\Users\Admin\AppData\Local\Temp\tmpC31D.tmpMD5
4cd7da0133ff64f40216341d95fe30bb
SHA188146cfd7754b988f50e929d876f33dc9916758f
SHA25637cce77e24a3c3d5ab28c16f726ef6a62c553acd972e256927f69064c4e1cfde
SHA512fa5b84f207fd9f20b2eace6cda9124e9d718fc80dc0a5fab31507f372d15ba69e1098a26e2e7036ba559ca52a99cfd804ca99ba68bda0a60386a33197722df8f
-
C:\Users\Admin\AppData\Local\Temp\tmpC38B.tmpMD5
9f0deb7cf87b4ae4efde9cc98ff481db
SHA1760265641ce176e555c64bedb494f6f75fd0bd27
SHA256a57110ccf892c8ca9c9b28b2608f4d37a8b5df1bfcf1411e7c62b500e82fabda
SHA5126517829d9a09df437a340485bb87183c7a80135a76296308120e0ab385f5ffa7369a2ace9655ffaf1c594869cc6a20015520b6b0c681217b641b3c58127a29de
-
C:\Users\Admin\Documents\Dmg~2345678765-09876789.exeMD5
f175d0b6a0808bce473aa0ae47fa01b0
SHA18da7b1bc07922d24b5b73060814119b5db5cdea8
SHA256c1a6565f3f81efca37159f4ed315623cc1defc395c738fba77d8c24d1f207cc6
SHA512477d9e8597fd4aec7ba0167b8d2ddd8d3c049e4cd95ddc3b0b762f330aa6b6905a20325ec5e55b9622b652ee19856b96cdd647d512b825d8770d89e08099afe7
-
C:\Users\Admin\Documents\Dmg~2345678765-09876789.exeMD5
f175d0b6a0808bce473aa0ae47fa01b0
SHA18da7b1bc07922d24b5b73060814119b5db5cdea8
SHA256c1a6565f3f81efca37159f4ed315623cc1defc395c738fba77d8c24d1f207cc6
SHA512477d9e8597fd4aec7ba0167b8d2ddd8d3c049e4cd95ddc3b0b762f330aa6b6905a20325ec5e55b9622b652ee19856b96cdd647d512b825d8770d89e08099afe7
-
memory/380-159-0x0000000005060000-0x000000000555E000-memory.dmpFilesize
5.0MB
-
memory/380-142-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/380-143-0x000000000041E792-mapping.dmp
-
memory/380-158-0x0000000005240000-0x0000000005243000-memory.dmpFilesize
12KB
-
memory/380-157-0x0000000005220000-0x0000000005239000-memory.dmpFilesize
100KB
-
memory/380-151-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/380-156-0x00000000050E0000-0x00000000050E5000-memory.dmpFilesize
20KB
-
memory/1328-152-0x0000000000000000-mapping.dmp
-
memory/1664-154-0x0000000000000000-mapping.dmp
-
memory/2384-163-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/2384-160-0x0000000000000000-mapping.dmp
-
memory/2700-167-0x0000000000000000-mapping.dmp
-
memory/3216-127-0x0000000000000000-mapping.dmp
-
memory/3216-141-0x0000000009E90000-0x0000000009E91000-memory.dmpFilesize
4KB
-
memory/3216-138-0x00000000059C0000-0x0000000005EBE000-memory.dmpFilesize
5.0MB
-
memory/3216-140-0x0000000007880000-0x000000000788B000-memory.dmpFilesize
44KB
-
memory/3216-139-0x00000000059C0000-0x0000000005EBE000-memory.dmpFilesize
5.0MB
-
memory/3620-115-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/3620-123-0x00000000063C0000-0x00000000063C1000-memory.dmpFilesize
4KB
-
memory/3620-122-0x0000000006400000-0x0000000006401000-memory.dmpFilesize
4KB
-
memory/3620-126-0x0000000005170000-0x000000000566E000-memory.dmpFilesize
5.0MB
-
memory/3620-121-0x0000000006360000-0x0000000006381000-memory.dmpFilesize
132KB
-
memory/3620-120-0x0000000005170000-0x000000000566E000-memory.dmpFilesize
5.0MB
-
memory/3620-119-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3620-118-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/3620-117-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/4036-124-0x0000000000000000-mapping.dmp
-
memory/4240-125-0x0000000000000000-mapping.dmp