Analysis
-
max time kernel
68s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 05:18
Static task
static1
Behavioral task
behavioral1
Sample
45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
Resource
win10v2004-20220414-en
General
-
Target
45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe
-
Size
289KB
-
MD5
7f142f5e800096af5de5160ba5caa91e
-
SHA1
6d5e1375311720b3f883d14e4e59cc251e8bb299
-
SHA256
45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1
-
SHA512
8be8d194267714433ff05d3981238963fbaf408fbc3d2473ca911573a235092fb8ec18e01fef618c7d61cd62dc82abe0ea04f40b2994e37bf81869828fbc5537
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Sets file to hidden 1 TTPs 7 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 908 attrib.exe 628 attrib.exe 708 attrib.exe 1624 attrib.exe 1904 attrib.exe 1036 attrib.exe 1800 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/480-55-0x0000000000400000-0x00000000004DB000-memory.dmp upx behavioral1/memory/480-63-0x0000000000400000-0x00000000004DB000-memory.dmp upx behavioral1/memory/480-108-0x0000000000400000-0x00000000004DB000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
WScript.exepid process 1900 WScript.exe -
Drops file in Program Files directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\program files (x86)\stormii attrib.exe -
Drops file in Windows directory 6 IoCs
Processes:
attrib.exe45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\tasksche.exe attrib.exe File created \??\c:\windows\demo.bat 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe File opened for modification C:\Windows\SpeechsTracing\Microsoft attrib.exe File opened for modification C:\Windows\SecureBootThemes attrib.exe File opened for modification C:\Windows\sysprepthemes attrib.exe File opened for modification C:\Windows\svchost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with WMI 13 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 1852 WMIC.exe 300 WMIC.exe 1556 WMIC.exe 1548 WMIC.exe 1068 WMIC.exe 1504 WMIC.exe 1904 WMIC.exe 840 WMIC.exe 1980 WMIC.exe 1676 WMIC.exe 608 WMIC.exe 916 WMIC.exe 1880 WMIC.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1352 taskkill.exe 1612 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1352 taskkill.exe Token: SeIncreaseQuotaPrivilege 300 WMIC.exe Token: SeSecurityPrivilege 300 WMIC.exe Token: SeTakeOwnershipPrivilege 300 WMIC.exe Token: SeLoadDriverPrivilege 300 WMIC.exe Token: SeSystemProfilePrivilege 300 WMIC.exe Token: SeSystemtimePrivilege 300 WMIC.exe Token: SeProfSingleProcessPrivilege 300 WMIC.exe Token: SeIncBasePriorityPrivilege 300 WMIC.exe Token: SeCreatePagefilePrivilege 300 WMIC.exe Token: SeBackupPrivilege 300 WMIC.exe Token: SeRestorePrivilege 300 WMIC.exe Token: SeShutdownPrivilege 300 WMIC.exe Token: SeDebugPrivilege 300 WMIC.exe Token: SeSystemEnvironmentPrivilege 300 WMIC.exe Token: SeRemoteShutdownPrivilege 300 WMIC.exe Token: SeUndockPrivilege 300 WMIC.exe Token: SeManageVolumePrivilege 300 WMIC.exe Token: 33 300 WMIC.exe Token: 34 300 WMIC.exe Token: 35 300 WMIC.exe Token: SeIncreaseQuotaPrivilege 300 WMIC.exe Token: SeSecurityPrivilege 300 WMIC.exe Token: SeTakeOwnershipPrivilege 300 WMIC.exe Token: SeLoadDriverPrivilege 300 WMIC.exe Token: SeSystemProfilePrivilege 300 WMIC.exe Token: SeSystemtimePrivilege 300 WMIC.exe Token: SeProfSingleProcessPrivilege 300 WMIC.exe Token: SeIncBasePriorityPrivilege 300 WMIC.exe Token: SeCreatePagefilePrivilege 300 WMIC.exe Token: SeBackupPrivilege 300 WMIC.exe Token: SeRestorePrivilege 300 WMIC.exe Token: SeShutdownPrivilege 300 WMIC.exe Token: SeDebugPrivilege 300 WMIC.exe Token: SeSystemEnvironmentPrivilege 300 WMIC.exe Token: SeRemoteShutdownPrivilege 300 WMIC.exe Token: SeUndockPrivilege 300 WMIC.exe Token: SeManageVolumePrivilege 300 WMIC.exe Token: 33 300 WMIC.exe Token: 34 300 WMIC.exe Token: 35 300 WMIC.exe Token: SeIncreaseQuotaPrivilege 1556 WMIC.exe Token: SeSecurityPrivilege 1556 WMIC.exe Token: SeTakeOwnershipPrivilege 1556 WMIC.exe Token: SeLoadDriverPrivilege 1556 WMIC.exe Token: SeSystemProfilePrivilege 1556 WMIC.exe Token: SeSystemtimePrivilege 1556 WMIC.exe Token: SeProfSingleProcessPrivilege 1556 WMIC.exe Token: SeIncBasePriorityPrivilege 1556 WMIC.exe Token: SeCreatePagefilePrivilege 1556 WMIC.exe Token: SeBackupPrivilege 1556 WMIC.exe Token: SeRestorePrivilege 1556 WMIC.exe Token: SeShutdownPrivilege 1556 WMIC.exe Token: SeDebugPrivilege 1556 WMIC.exe Token: SeSystemEnvironmentPrivilege 1556 WMIC.exe Token: SeRemoteShutdownPrivilege 1556 WMIC.exe Token: SeUndockPrivilege 1556 WMIC.exe Token: SeManageVolumePrivilege 1556 WMIC.exe Token: 33 1556 WMIC.exe Token: 34 1556 WMIC.exe Token: 35 1556 WMIC.exe Token: SeIncreaseQuotaPrivilege 1556 WMIC.exe Token: SeSecurityPrivilege 1556 WMIC.exe Token: SeTakeOwnershipPrivilege 1556 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exepid process 480 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe 480 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.execmd.exedescription pid process target process PID 480 wrote to memory of 964 480 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe cmd.exe PID 480 wrote to memory of 964 480 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe cmd.exe PID 480 wrote to memory of 964 480 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe cmd.exe PID 480 wrote to memory of 964 480 45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe cmd.exe PID 964 wrote to memory of 1352 964 cmd.exe taskkill.exe PID 964 wrote to memory of 1352 964 cmd.exe taskkill.exe PID 964 wrote to memory of 1352 964 cmd.exe taskkill.exe PID 964 wrote to memory of 1352 964 cmd.exe taskkill.exe PID 964 wrote to memory of 300 964 cmd.exe WMIC.exe PID 964 wrote to memory of 300 964 cmd.exe WMIC.exe PID 964 wrote to memory of 300 964 cmd.exe WMIC.exe PID 964 wrote to memory of 300 964 cmd.exe WMIC.exe PID 964 wrote to memory of 1556 964 cmd.exe WMIC.exe PID 964 wrote to memory of 1556 964 cmd.exe WMIC.exe PID 964 wrote to memory of 1556 964 cmd.exe WMIC.exe PID 964 wrote to memory of 1556 964 cmd.exe WMIC.exe PID 964 wrote to memory of 840 964 cmd.exe WMIC.exe PID 964 wrote to memory of 840 964 cmd.exe WMIC.exe PID 964 wrote to memory of 840 964 cmd.exe WMIC.exe PID 964 wrote to memory of 840 964 cmd.exe WMIC.exe PID 964 wrote to memory of 1624 964 cmd.exe attrib.exe PID 964 wrote to memory of 1624 964 cmd.exe attrib.exe PID 964 wrote to memory of 1624 964 cmd.exe attrib.exe PID 964 wrote to memory of 1624 964 cmd.exe attrib.exe PID 964 wrote to memory of 1420 964 cmd.exe cmd.exe PID 964 wrote to memory of 1420 964 cmd.exe cmd.exe PID 964 wrote to memory of 1420 964 cmd.exe cmd.exe PID 964 wrote to memory of 1420 964 cmd.exe cmd.exe PID 964 wrote to memory of 1940 964 cmd.exe cacls.exe PID 964 wrote to memory of 1940 964 cmd.exe cacls.exe PID 964 wrote to memory of 1940 964 cmd.exe cacls.exe PID 964 wrote to memory of 1940 964 cmd.exe cacls.exe PID 964 wrote to memory of 1904 964 cmd.exe attrib.exe PID 964 wrote to memory of 1904 964 cmd.exe attrib.exe PID 964 wrote to memory of 1904 964 cmd.exe attrib.exe PID 964 wrote to memory of 1904 964 cmd.exe attrib.exe PID 964 wrote to memory of 1952 964 cmd.exe cmd.exe PID 964 wrote to memory of 1952 964 cmd.exe cmd.exe PID 964 wrote to memory of 1952 964 cmd.exe cmd.exe PID 964 wrote to memory of 1952 964 cmd.exe cmd.exe PID 964 wrote to memory of 1336 964 cmd.exe cacls.exe PID 964 wrote to memory of 1336 964 cmd.exe cacls.exe PID 964 wrote to memory of 1336 964 cmd.exe cacls.exe PID 964 wrote to memory of 1336 964 cmd.exe cacls.exe PID 964 wrote to memory of 1036 964 cmd.exe attrib.exe PID 964 wrote to memory of 1036 964 cmd.exe attrib.exe PID 964 wrote to memory of 1036 964 cmd.exe attrib.exe PID 964 wrote to memory of 1036 964 cmd.exe attrib.exe PID 964 wrote to memory of 1096 964 cmd.exe cmd.exe PID 964 wrote to memory of 1096 964 cmd.exe cmd.exe PID 964 wrote to memory of 1096 964 cmd.exe cmd.exe PID 964 wrote to memory of 1096 964 cmd.exe cmd.exe PID 964 wrote to memory of 916 964 cmd.exe cacls.exe PID 964 wrote to memory of 916 964 cmd.exe cacls.exe PID 964 wrote to memory of 916 964 cmd.exe cacls.exe PID 964 wrote to memory of 916 964 cmd.exe cacls.exe PID 964 wrote to memory of 1696 964 cmd.exe attrib.exe PID 964 wrote to memory of 1696 964 cmd.exe attrib.exe PID 964 wrote to memory of 1696 964 cmd.exe attrib.exe PID 964 wrote to memory of 1696 964 cmd.exe attrib.exe PID 964 wrote to memory of 1708 964 cmd.exe cmd.exe PID 964 wrote to memory of 1708 964 cmd.exe cmd.exe PID 964 wrote to memory of 1708 964 cmd.exe cmd.exe PID 964 wrote to memory of 1708 964 cmd.exe cmd.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 628 attrib.exe 708 attrib.exe 1624 attrib.exe 1904 attrib.exe 1036 attrib.exe 1696 attrib.exe 1800 attrib.exe 908 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe"C:\Users\Admin\AppData\Local\Temp\45a8d8ad3fa19e26024835ca5a95902a4107472bace4fda72680f36e439b05d1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\demo.bat2⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundll32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\SecureBootThemes\\Microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:300 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\sysprepthemes\\microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\Windows\\SpeechsTracing\\Microsoft\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:840 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\SpeechsTracing\Microsoft3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1420
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SpeechsTracing\Microsoft /e /p everyone:n /d administrators3⤵PID:1940
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\SecureBootThemes3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1904 -
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SecureBootThemes /e /p everyone:n /d administrators3⤵PID:1336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1952
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\Windows\sysprepthemes3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1096
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\ProgramData3⤵
- Views/modifies file attributes
PID:1696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1708
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Natihial\svshostr.exe /d everyone3⤵PID:1800
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\new\csrss.exe /d everyone3⤵PID:1632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2020
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\svchost.exe /d everyone3⤵PID:1592
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate3⤵
- Kills process with WMI
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1352
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\expl0rer.exe /d everyone3⤵PID:2012
-
C:\Windows\SysWOW64\cacls.execacls C:\ProgramData\Microsoft\Natihial\cmd.exe /d everyone3⤵PID:956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1528
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\sysprepthemes /e /p everyone:n /d administrators3⤵PID:916
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Adobe Flash Player Updaters" /f3⤵PID:568
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\new\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:1548 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:1068 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\dll\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
PID:1504 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\dll\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
PID:1904 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\Natioanl\\svchostr.exe'" call Terminate3⤵
- Kills process with WMI
PID:1676 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\Natioanl\\csrss..exe'" call Terminate3⤵
- Kills process with WMI
PID:608 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\nm\\winlogin.exe'" call Terminate3⤵
- Kills process with WMI
PID:916 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1800 -
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵PID:1724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1432
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im tasksche.exe3⤵
- Kills process with taskkill
PID:1612 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\tasksche.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:908 -
C:\Windows\SysWOW64\cacls.execacls C:\Windows\tasksche.exe /d everyone3⤵PID:2036
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='server.exe' and ExecutablePath='C:\\program files (x86)\\stormii\\server.exe'" call Terminate3⤵
- Kills process with WMI
PID:1880 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a C:\ProgramData3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1980
-
C:\Windows\SysWOW64\cacls.execacls "C:\program files (x86)\stormii\server.exe" /d everyone3⤵PID:588
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\program files (x86)\\windows nt\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
PID:1852 -
C:\Windows\SysWOW64\cacls.execacls "C:\program files (x86)\stormii" /d everyone3⤵PID:1548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1152
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r +a "C:\program files (x86)\stormii"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1176
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
275B
MD5805482b9089682ec0f82a29aaa1eb1bc
SHA15d9b6a5491f2854c6d48d1552a272f555bd033ac
SHA2569b74ae442c953175ad499082ae5ac5a125f6fe8b8b513925b1b160352aaf813d
SHA51234936334ca48b006c16615102119a528fb2f746eebf8e0186d902f5423da830832447a5236e883d19411f67a9238da7b9f2ecc3888de540683b5a35317d19920
-
\??\c:\windows\demo.batFilesize
4KB
MD57add4dd082e2e84ea7ea41a48a267450
SHA1c382039ed13d239136e1ec4430bdd3343b28d8e8
SHA2561b7a7b3df3a919c5e51a7f32cf5adc2fe1208dce454adf40864caad9912caa4c
SHA51250a1ed761b48db3f6c9aeaabf1bfc169ec69dc97717d28d6cf0e612cdaa2661b0c06b8c1a375572511190b84d7952583f26cf0a2ff6f84b17bb89c260c7ab539
-
memory/300-59-0x0000000000000000-mapping.dmp
-
memory/480-108-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/480-55-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/480-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/480-63-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/568-84-0x0000000000000000-mapping.dmp
-
memory/588-102-0x0000000000000000-mapping.dmp
-
memory/608-90-0x0000000000000000-mapping.dmp
-
memory/628-99-0x0000000000000000-mapping.dmp
-
memory/708-103-0x0000000000000000-mapping.dmp
-
memory/840-61-0x0000000000000000-mapping.dmp
-
memory/908-96-0x0000000000000000-mapping.dmp
-
memory/916-71-0x0000000000000000-mapping.dmp
-
memory/916-91-0x0000000000000000-mapping.dmp
-
memory/956-78-0x0000000000000000-mapping.dmp
-
memory/964-56-0x0000000000000000-mapping.dmp
-
memory/1036-69-0x0000000000000000-mapping.dmp
-
memory/1068-86-0x0000000000000000-mapping.dmp
-
memory/1096-70-0x0000000000000000-mapping.dmp
-
memory/1152-104-0x0000000000000000-mapping.dmp
-
memory/1176-97-0x0000000000000000-mapping.dmp
-
memory/1336-68-0x0000000000000000-mapping.dmp
-
memory/1352-81-0x0000000000000000-mapping.dmp
-
memory/1352-58-0x0000000000000000-mapping.dmp
-
memory/1420-64-0x0000000000000000-mapping.dmp
-
memory/1432-93-0x0000000000000000-mapping.dmp
-
memory/1504-87-0x0000000000000000-mapping.dmp
-
memory/1528-75-0x0000000000000000-mapping.dmp
-
memory/1548-105-0x0000000000000000-mapping.dmp
-
memory/1548-85-0x0000000000000000-mapping.dmp
-
memory/1556-60-0x0000000000000000-mapping.dmp
-
memory/1592-82-0x0000000000000000-mapping.dmp
-
memory/1612-95-0x0000000000000000-mapping.dmp
-
memory/1624-62-0x0000000000000000-mapping.dmp
-
memory/1632-76-0x0000000000000000-mapping.dmp
-
memory/1676-89-0x0000000000000000-mapping.dmp
-
memory/1684-77-0x0000000000000000-mapping.dmp
-
memory/1696-72-0x0000000000000000-mapping.dmp
-
memory/1708-73-0x0000000000000000-mapping.dmp
-
memory/1724-94-0x0000000000000000-mapping.dmp
-
memory/1800-92-0x0000000000000000-mapping.dmp
-
memory/1800-74-0x0000000000000000-mapping.dmp
-
memory/1852-106-0x0000000000000000-mapping.dmp
-
memory/1880-100-0x0000000000000000-mapping.dmp
-
memory/1900-107-0x0000000000000000-mapping.dmp
-
memory/1904-66-0x0000000000000000-mapping.dmp
-
memory/1904-88-0x0000000000000000-mapping.dmp
-
memory/1940-65-0x0000000000000000-mapping.dmp
-
memory/1952-67-0x0000000000000000-mapping.dmp
-
memory/1980-101-0x0000000000000000-mapping.dmp
-
memory/1980-83-0x0000000000000000-mapping.dmp
-
memory/2012-80-0x0000000000000000-mapping.dmp
-
memory/2020-79-0x0000000000000000-mapping.dmp
-
memory/2036-98-0x0000000000000000-mapping.dmp