Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-02-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
Resource
win7-en-20211208
General
-
Target
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
-
Size
3.1MB
-
MD5
a04867c5f9d320599b65764601f975e2
-
SHA1
6a8377a8b63d8dbaa32c8595c899694a86c4a527
-
SHA256
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196
-
SHA512
c908c0436a6d50a41f26e701f96d3e85fc23ae44c98ef747d6e21d50239c8d41930fea7aefd9178a07bd5372f180a0db0261252f4f7625660a158d207fc0c2f4
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 50 4400 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
clayer.exeforbarvp.exeDpEditor.exepid process 1696 clayer.exe 2208 forbarvp.exe 4256 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
forbarvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion forbarvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion forbarvp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
forbarvp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation forbarvp.exe -
Loads dropped DLL 1 IoCs
Processes:
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exepid process 2380 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe themida C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe themida behavioral2/memory/2208-135-0x0000000000D40000-0x000000000140B000-memory.dmp themida behavioral2/memory/2208-136-0x0000000000D40000-0x000000000140B000-memory.dmp themida behavioral2/memory/2208-138-0x0000000000D40000-0x000000000140B000-memory.dmp themida -
Processes:
forbarvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA forbarvp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
forbarvp.exepid process 2208 forbarvp.exe -
Drops file in Program Files directory 3 IoCs
Processes:
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe File created C:\Program Files (x86)\foler\olader\acledit.dll a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
forbarvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString forbarvp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 forbarvp.exe -
Modifies registry class 1 IoCs
Processes:
forbarvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings forbarvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4256 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
forbarvp.exepid process 2208 forbarvp.exe 2208 forbarvp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2392 svchost.exe Token: SeCreatePagefilePrivilege 2392 svchost.exe Token: SeShutdownPrivilege 2392 svchost.exe Token: SeCreatePagefilePrivilege 2392 svchost.exe Token: SeShutdownPrivilege 2392 svchost.exe Token: SeCreatePagefilePrivilege 2392 svchost.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe Token: SeRestorePrivilege 4312 TiWorker.exe Token: SeSecurityPrivilege 4312 TiWorker.exe Token: SeBackupPrivilege 4312 TiWorker.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
clayer.exepid process 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
clayer.exepid process 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe 1696 clayer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exeforbarvp.execlayer.exedescription pid process target process PID 2380 wrote to memory of 1696 2380 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 2380 wrote to memory of 1696 2380 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 2380 wrote to memory of 1696 2380 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 2380 wrote to memory of 2208 2380 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 2380 wrote to memory of 2208 2380 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 2380 wrote to memory of 2208 2380 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 2208 wrote to memory of 3396 2208 forbarvp.exe WScript.exe PID 2208 wrote to memory of 3396 2208 forbarvp.exe WScript.exe PID 2208 wrote to memory of 3396 2208 forbarvp.exe WScript.exe PID 1696 wrote to memory of 4256 1696 clayer.exe DpEditor.exe PID 1696 wrote to memory of 4256 1696 clayer.exe DpEditor.exe PID 1696 wrote to memory of 4256 1696 clayer.exe DpEditor.exe PID 2208 wrote to memory of 4400 2208 forbarvp.exe WScript.exe PID 2208 wrote to memory of 4400 2208 forbarvp.exe WScript.exe PID 2208 wrote to memory of 4400 2208 forbarvp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe"C:\Users\Admin\AppData\Local\Temp\a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe"C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe"C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\snkmuyv.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mtpvwynmef.vbs"3⤵
- Blocklisted process makes network request
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
45b54f39adcc2ad93fc2807ddd2510a2
SHA17c9eb0e0541977bb484d23ca1ddf56a0bf064f97
SHA2565c770e06100a5b8e6ac92b55f1d1f9de2179a6c1edc923e919b8a91355a06857
SHA5127555792a11a71460930a02461c8fc72e31d56dd01d2fb448664a0e3749e609192b343c1636ad61d2de60b220b62233bc633b0223c4a97e0ee3bed3feb512c6af
-
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exeMD5
db9f562738a4cd6adbfde0669264da02
SHA1350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1
SHA25652ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191
SHA51235b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7
-
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exeMD5
db9f562738a4cd6adbfde0669264da02
SHA1350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1
SHA25652ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191
SHA51235b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7
-
C:\Users\Admin\AppData\Local\Temp\mtpvwynmef.vbsMD5
d956dc58076990f6c46204c2092c68d8
SHA1776c3549aee65fa76a029626e72ff1bb308be865
SHA256b40816e298b76558e7413eab7a5c50d92cebb97395417d44d4d2305fbd39332c
SHA512450ec63c5a50459bca03369146c4c9dd8aeb01e4b98921163a3487a469e7a91ab6375e8c2844ae8c5010d30ef3c5ccaf10924afc7ec1deb9c316cc99eb0769c3
-
C:\Users\Admin\AppData\Local\Temp\nsp5727.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
C:\Users\Admin\AppData\Local\Temp\snkmuyv.vbsMD5
94a63239575cfa837147e1d13bdd56ce
SHA1a35287332eeb690209810f9e459e5391aa7ee4fe
SHA256f05303d0c42a88e092602d8f4dbf1fafbefa1c24de36f72529e76777bc35bcb3
SHA512fe7e23e9a5bca7f047f55c1b780b48a3cb4bc5d17695c8cd515fba19863cd88d2340c834da3bb8446a7761e7a28b3ac25d51ddddfbeb67d165d8d518036e2754
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
memory/1696-144-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/1696-145-0x0000000002410000-0x0000000002458000-memory.dmpFilesize
288KB
-
memory/1696-143-0x0000000000402000-0x0000000000404000-memory.dmpFilesize
8KB
-
memory/2208-135-0x0000000000D40000-0x000000000140B000-memory.dmpFilesize
6.8MB
-
memory/2208-138-0x0000000000D40000-0x000000000140B000-memory.dmpFilesize
6.8MB
-
memory/2208-137-0x00000000776E4000-0x00000000776E6000-memory.dmpFilesize
8KB
-
memory/2208-136-0x0000000000D40000-0x000000000140B000-memory.dmpFilesize
6.8MB
-
memory/2392-142-0x000001BC5D820000-0x000001BC5D824000-memory.dmpFilesize
16KB
-
memory/2392-141-0x000001BC5B2F0000-0x000001BC5B300000-memory.dmpFilesize
64KB
-
memory/2392-140-0x000001BC5ABA0000-0x000001BC5ABB0000-memory.dmpFilesize
64KB
-
memory/4256-151-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/4256-152-0x0000000002300000-0x0000000002348000-memory.dmpFilesize
288KB