Analysis
-
max time kernel
160s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-07-2022 06:30
General
-
Target
CFDI_826271_53535.exe
-
Size
894KB
-
MD5
f89a4c9d373e3c928bc405d56a496850
-
SHA1
de58bf97363c74d83249df1ec2f1e9d62a2101d9
-
SHA256
c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d
-
SHA512
eb02dcd476e67db8ec0d9bfde5698967c657bbc6cb55973445c565cd10999772b8ba18ecacd85c36bb88ac81898a0d34f2509cf6e2a954c890ffc5c07421d514
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 5 IoCs
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
NTFS ADS 2 IoCs
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 75⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe"Gozip.exe" e -p398FsVBddjkd8cwr nmh3745.rar5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 65⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat" "6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\controllevel"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 17⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exemiktotik.exe /start7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exemiktotik.exe /start8⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe9⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe/suac10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe"C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net group "Domain Admins" /domain11⤵
-
C:\Windows\system32\net.exenet group "Domain Admins" /domain12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "Domain Admins" /domain13⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net group "domain computers" /domain11⤵
-
C:\Windows\system32\net.exenet group "domain computers" /domain12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "domain computers" /domain13⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c nltest /domain_trusts /all_trusts11⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exe"cmd.exe" /c nltest /domain_trusts11⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net view /all11⤵
-
C:\Windows\system32\net.exenet view /all12⤵
- Discovers systems in the same network
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe" && /C choice /C Y /N /D Y /T 3 & Del "shfolder.dll" && Del LAG1 && Del LAG211⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 312⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gozip.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gozip.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef"7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 47⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 85⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exeFilesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exeFilesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbsFilesize
114B
MD58f5293bc4ace65a9f51ba97bddcd7eee
SHA1e11a5055530092c3a805d757110c4f8761976eef
SHA256a48489f790e76faeaaed41f123031e708881226c224030213861cba419ca34f4
SHA512c319cf12985d57b3d00737107a20e0c06a236d654064255dcc7023aa312871b52d399a9e9a55743fb3a446d2624a1049013f0ca8132ed6b6432658c396fa981d
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exeFilesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exeFilesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Preferences.datFilesize
373KB
MD5b1aa11c4722efbcaaf5ebf5f17880d17
SHA1b4b8578e13eb1a860524e827ac8bdd5d8ece604b
SHA2562e7ba0fb3f5edd6091e13e0d3a127210813433e46cea81a61a211d6a95457e27
SHA512a7668dfca645f63b571aff7ac11709b5578a4cd5947bf468fba11e4f5d455ef1b0917acc12c558e7b27d2eff1a8debb19b2c7783b7742c97c81b54fedcedd7b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.batFilesize
1KB
MD5bf223a7df3a7feecfcb49a5d01d781d9
SHA1d8b2b0f48887e63928576773efe1ab5776d7dfb0
SHA256494cc4d4211c1ed3f88255a46d501040b885c9b5cca26dcae5e37185d883957e
SHA512e15ca76450e99b21982efeeba4c148c9f28dddd85ae0fdb43e496813a4556b83022e2bb1d553de1c851065e09c7866bc6a9829da84dc0fcf3b269a03b0857fc2
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.batFilesize
668B
MD5814380ebb377d7ebca662c6ac563eec0
SHA13487cf2382cd0bc87a677e637de1ae40ccfbc13b
SHA256b58d9796ee64ea6731a6e54fdeb997ebc4ac148e3982e9c48fdc1f79d1531136
SHA51241737175039c4f62159be44fcd683aff05be9f7ea97b7061222d34528995768cf1656c617991a5d7a5595bd958687a5adbeb208fe961aa2afb4fd2bf2a8d7d66
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbsFilesize
85B
MD5bf045999e4ca77b57de18d5ff25e1272
SHA1e8dab3a106e479a53c4ea61443c2ff7873d17c67
SHA25689f2f0f40f06ed45b155adf713b127931ebb41c162e08e0cda75ecb9e10fdf17
SHA512e191b410d97f021d3dd55ad3565559cf0f3dd6dcc7157f7d6ff60dd610128dfe875cc00f67106653df758e07b6d845fc4e7a7ee290f8d7d8a58d58a90a018f6a
-
\??\PIPE\NETLOGONMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exeFilesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exeFilesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
memory/272-73-0x0000000000000000-mapping.dmp
-
memory/540-138-0x0000000000000000-mapping.dmp
-
memory/552-54-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/556-69-0x0000000000000000-mapping.dmp
-
memory/576-153-0x0000000000000000-mapping.dmp
-
memory/576-81-0x0000000000000000-mapping.dmp
-
memory/608-77-0x0000000000000000-mapping.dmp
-
memory/608-89-0x0000000000250000-0x00000000002EB000-memory.dmpFilesize
620KB
-
memory/608-90-0x0000000000250000-0x00000000002EB000-memory.dmpFilesize
620KB
-
memory/760-99-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/760-86-0x0000000000000000-mapping.dmp
-
memory/760-92-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/856-108-0x0000000000000000-mapping.dmp
-
memory/880-66-0x0000000000000000-mapping.dmp
-
memory/936-149-0x0000000000000000-mapping.dmp
-
memory/1028-129-0x0000000000000000-mapping.dmp
-
memory/1028-132-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/1208-127-0x00000000025A0000-0x00000000025A6000-memory.dmpFilesize
24KB
-
memory/1260-55-0x0000000000000000-mapping.dmp
-
memory/1264-59-0x0000000000000000-mapping.dmp
-
memory/1360-150-0x0000000000000000-mapping.dmp
-
memory/1392-141-0x0000000000000000-mapping.dmp
-
memory/1504-79-0x0000000000000000-mapping.dmp
-
memory/1532-148-0x0000000000000000-mapping.dmp
-
memory/1568-145-0x0000000000000000-mapping.dmp
-
memory/1600-147-0x0000000000000000-mapping.dmp
-
memory/1720-103-0x0000000000000000-mapping.dmp
-
memory/1732-144-0x0000000000000000-mapping.dmp
-
memory/1744-142-0x0000000000000000-mapping.dmp
-
memory/1792-72-0x0000000000000000-mapping.dmp
-
memory/1820-95-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-106-0x0000000000440000-0x00000000004A6000-memory.dmpFilesize
408KB
-
memory/1820-117-0x00000000020C0000-0x00000000020CC000-memory.dmpFilesize
48KB
-
memory/1820-115-0x0000000000440000-0x00000000004A6000-memory.dmpFilesize
408KB
-
memory/1820-116-0x00000000003E0000-0x00000000003ED000-memory.dmpFilesize
52KB
-
memory/1820-114-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-93-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-124-0x0000000000440000-0x00000000004A6000-memory.dmpFilesize
408KB
-
memory/1820-104-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-100-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-96-0x00000000004015C6-mapping.dmp
-
memory/1884-137-0x0000000000E30000-0x0000000000E38000-memory.dmpFilesize
32KB
-
memory/1884-135-0x0000000000000000-mapping.dmp
-
memory/1884-151-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB
-
memory/1936-139-0x0000000000000000-mapping.dmp
-
memory/1952-140-0x0000000000000000-mapping.dmp
-
memory/1972-143-0x0000000000000000-mapping.dmp
-
memory/1976-152-0x0000000000000000-mapping.dmp
-
memory/2004-112-0x0000000000000000-mapping.dmp
-
memory/2012-61-0x0000000000000000-mapping.dmp
-
memory/2024-122-0x0000000000410000-0x0000000000566000-memory.dmpFilesize
1.3MB
-
memory/2024-123-0x0000000002210000-0x000000000221C000-memory.dmpFilesize
48KB
-
memory/2024-121-0x0000000077110000-0x0000000077290000-memory.dmpFilesize
1.5MB
-
memory/2024-120-0x0000000073F81000-0x0000000073F83000-memory.dmpFilesize
8KB
-
memory/2024-118-0x0000000000000000-mapping.dmp
-
memory/2024-125-0x0000000077110000-0x0000000077290000-memory.dmpFilesize
1.5MB
-
memory/2024-126-0x0000000000410000-0x0000000000566000-memory.dmpFilesize
1.3MB
-
memory/2028-110-0x0000000000000000-mapping.dmp