Analysis
-
max time kernel
301s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-09-2022 06:18
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20220812-en
General
-
Target
Install.exe
-
Size
2.3MB
-
MD5
81b999918d94285ca5791aed3c8157fe
-
SHA1
2578c47353c13cf28468518c79ee5a035beed760
-
SHA256
5917eaf394a1ef0e1dc0cdb4a00260efbf51d1ea20d48ab68f7325cfe4b3ad04
-
SHA512
e7b92ccfe60142ea4e2605397104e5f0628c78431ff56a69a4868645b05444ece53679db26a724856f8c4c65d39017c51a467a27714b95f5aceee211ac70734e
-
SSDEEP
24576:zxUmQ8AhI8IYVw4zv7fYLXX5wktsH7XlUAFFLjlLWJ/Sa3qVBAg/LyMlXk/9pu06:zxxHm7b8LXpw9HXL2/SFNLy7/9prx6
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1624 created 420 1624 powershell.EXE winlogon.exe PID 1356 created 420 1356 powershell.EXE winlogon.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.EXEpowershell.EXEsvchost.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1624 set thread context of 1456 1624 powershell.EXE dllhost.exe PID 1356 set thread context of 672 1356 powershell.EXE dllhost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exeInstall.exedescription ioc process File opened for modification C:\Windows\Tasks\$77svc32.job svchost.exe File created C:\Windows\Tasks\$77svc32.job Install.exe File opened for modification C:\Windows\Tasks\$77svc32.job Install.exe File created C:\Windows\Tasks\$77svc64.job Install.exe File opened for modification C:\Windows\Tasks\$77svc64.job Install.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 956 672 WerFault.exe dllhost.exe 1168 1560 WerFault.exe dw20.exe 576 956 WerFault.exe WerFault.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 7013111f25cfd801 powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEpowershell.EXEdllhost.exedllhost.exepid process 1356 powershell.EXE 1624 powershell.EXE 1624 powershell.EXE 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1356 powershell.EXE 672 dllhost.exe 672 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 672 dllhost.exe 672 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 672 dllhost.exe 672 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 672 dllhost.exe 672 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe 1456 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.EXEpowershell.EXEdllhost.exedllhost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1356 powershell.EXE Token: SeDebugPrivilege 1624 powershell.EXE Token: SeDebugPrivilege 1624 powershell.EXE Token: SeDebugPrivilege 1456 dllhost.exe Token: SeDebugPrivilege 1356 powershell.EXE Token: SeDebugPrivilege 672 dllhost.exe Token: SeShutdownPrivilege 1384 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
taskeng.exepowershell.EXEdllhost.exepowershell.EXEdllhost.exedescription pid process target process PID 1124 wrote to memory of 1624 1124 taskeng.exe powershell.EXE PID 1124 wrote to memory of 1624 1124 taskeng.exe powershell.EXE PID 1124 wrote to memory of 1624 1124 taskeng.exe powershell.EXE PID 1124 wrote to memory of 1356 1124 taskeng.exe powershell.EXE PID 1124 wrote to memory of 1356 1124 taskeng.exe powershell.EXE PID 1124 wrote to memory of 1356 1124 taskeng.exe powershell.EXE PID 1124 wrote to memory of 1356 1124 taskeng.exe powershell.EXE PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1624 wrote to memory of 1456 1624 powershell.EXE dllhost.exe PID 1456 wrote to memory of 420 1456 dllhost.exe winlogon.exe PID 1456 wrote to memory of 468 1456 dllhost.exe services.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1356 wrote to memory of 672 1356 powershell.EXE dllhost.exe PID 1456 wrote to memory of 476 1456 dllhost.exe lsass.exe PID 1456 wrote to memory of 484 1456 dllhost.exe lsm.exe PID 1456 wrote to memory of 592 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 676 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 740 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 804 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 852 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 876 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 328 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 308 1456 dllhost.exe spoolsv.exe PID 1456 wrote to memory of 1040 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 1256 1456 dllhost.exe taskhost.exe PID 1456 wrote to memory of 1340 1456 dllhost.exe Dwm.exe PID 1456 wrote to memory of 1384 1456 dllhost.exe Explorer.EXE PID 1456 wrote to memory of 960 1456 dllhost.exe sppsvc.exe PID 1456 wrote to memory of 800 1456 dllhost.exe svchost.exe PID 1456 wrote to memory of 1928 1456 dllhost.exe WMIADAP.EXE PID 1456 wrote to memory of 1124 1456 dllhost.exe taskeng.exe PID 1456 wrote to memory of 1112 1456 dllhost.exe conhost.exe PID 672 wrote to memory of 1356 672 dllhost.exe powershell.EXE PID 672 wrote to memory of 956 672 dllhost.exe WerFault.exe PID 672 wrote to memory of 956 672 dllhost.exe WerFault.exe PID 672 wrote to memory of 956 672 dllhost.exe WerFault.exe PID 672 wrote to memory of 956 672 dllhost.exe WerFault.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {4E7D8E6E-A9EE-4535-BF7A-0B4204D20A66} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8165⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 966⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ea322986-d797-40bd-917c-414e7cb8022a}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{449c157e-6dd6-4014-826d-b8d14f6fdc57}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 2963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 2124⤵
- Program crash
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Drops file in Windows directory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-940788917-2075310290727857194-564733295-531994609536376070-887118630978848052"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Tasks\$77svc32.jobFilesize
558B
MD556c33e06132e976b8821a1f67d4f3734
SHA157bd089a6a628be6a159684beed189cfe829711c
SHA256946b5c363eaa6cc5007ce0816aebb6cac8534df22c43060328ab21694d7ce929
SHA512d466f39b9c0c90a433ce888b93f0be07baa82f8ec509607e23a8d542dc8c4e13c4dab8f271e35d44cf6274dc63df96504bcf49202daa0db6eff796ccf1654c43
-
memory/308-153-0x00000000036C0000-0x000000000388A000-memory.dmpFilesize
1.8MB
-
memory/308-162-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/328-154-0x0000000003700000-0x00000000038CA000-memory.dmpFilesize
1.8MB
-
memory/328-155-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/420-84-0x0000000000D00000-0x0000000000E49000-memory.dmpFilesize
1.3MB
-
memory/420-76-0x0000000000D00000-0x0000000000E49000-memory.dmpFilesize
1.3MB
-
memory/420-86-0x0000000002DB0000-0x0000000002F7A000-memory.dmpFilesize
1.8MB
-
memory/420-127-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/420-79-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/420-226-0x0000000002DB0000-0x0000000002F7A000-memory.dmpFilesize
1.8MB
-
memory/468-229-0x0000000001C30000-0x0000000001DFA000-memory.dmpFilesize
1.8MB
-
memory/468-87-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/468-93-0x0000000001C30000-0x0000000001DFA000-memory.dmpFilesize
1.8MB
-
memory/468-88-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/476-232-0x0000000001650000-0x000000000181A000-memory.dmpFilesize
1.8MB
-
memory/476-144-0x0000000001650000-0x000000000181A000-memory.dmpFilesize
1.8MB
-
memory/476-129-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/476-126-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/484-150-0x0000000000FA0000-0x000000000116A000-memory.dmpFilesize
1.8MB
-
memory/484-156-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/484-131-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/484-238-0x0000000000FA0000-0x000000000116A000-memory.dmpFilesize
1.8MB
-
memory/576-216-0x0000000000000000-mapping.dmp
-
memory/592-141-0x0000000001B80000-0x0000000001D4A000-memory.dmpFilesize
1.8MB
-
memory/592-100-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/592-98-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/592-230-0x0000000001B80000-0x0000000001D4A000-memory.dmpFilesize
1.8MB
-
memory/672-204-0x0000000077CD0000-0x0000000077E50000-memory.dmpFilesize
1.5MB
-
memory/672-91-0x0000000000400000-0x0000000000683000-memory.dmpFilesize
2.5MB
-
memory/672-221-0x0000000077CD0000-0x0000000077E50000-memory.dmpFilesize
1.5MB
-
memory/672-203-0x0000000000400000-0x0000000000683000-memory.dmpFilesize
2.5MB
-
memory/672-135-0x000000000045B0A5-mapping.dmp
-
memory/676-102-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/676-104-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/676-143-0x0000000001730000-0x00000000018FA000-memory.dmpFilesize
1.8MB
-
memory/676-231-0x0000000001730000-0x00000000018FA000-memory.dmpFilesize
1.8MB
-
memory/740-133-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/740-157-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/740-149-0x0000000002990000-0x0000000002B5A000-memory.dmpFilesize
1.8MB
-
memory/740-237-0x0000000002990000-0x0000000002B5A000-memory.dmpFilesize
1.8MB
-
memory/800-199-0x0000000001520000-0x00000000016EA000-memory.dmpFilesize
1.8MB
-
memory/804-158-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/804-132-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/804-236-0x0000000001A10000-0x0000000001BDA000-memory.dmpFilesize
1.8MB
-
memory/804-148-0x0000000001A10000-0x0000000001BDA000-memory.dmpFilesize
1.8MB
-
memory/852-130-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/852-159-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/852-235-0x0000000002AB0000-0x0000000002C7A000-memory.dmpFilesize
1.8MB
-
memory/852-147-0x0000000002AB0000-0x0000000002C7A000-memory.dmpFilesize
1.8MB
-
memory/876-145-0x0000000003220000-0x00000000033EA000-memory.dmpFilesize
1.8MB
-
memory/876-112-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/876-114-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/876-233-0x0000000003220000-0x00000000033EA000-memory.dmpFilesize
1.8MB
-
memory/956-209-0x0000000000000000-mapping.dmp
-
memory/960-197-0x0000000001700000-0x00000000018CA000-memory.dmpFilesize
1.8MB
-
memory/1040-122-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1040-120-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/1040-146-0x00000000012D0000-0x000000000149A000-memory.dmpFilesize
1.8MB
-
memory/1040-234-0x00000000012D0000-0x000000000149A000-memory.dmpFilesize
1.8MB
-
memory/1112-223-0x0000000000E70000-0x000000000103A000-memory.dmpFilesize
1.8MB
-
memory/1112-208-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1112-207-0x0000000000E70000-0x000000000103A000-memory.dmpFilesize
1.8MB
-
memory/1124-202-0x0000000001390000-0x000000000155A000-memory.dmpFilesize
1.8MB
-
memory/1168-215-0x0000000000000000-mapping.dmp
-
memory/1256-152-0x00000000026E0000-0x00000000028AA000-memory.dmpFilesize
1.8MB
-
memory/1256-161-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1340-151-0x0000000002560000-0x000000000272A000-memory.dmpFilesize
1.8MB
-
memory/1340-136-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmpFilesize
64KB
-
memory/1340-196-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB
-
memory/1356-62-0x0000000074730000-0x0000000074CDB000-memory.dmpFilesize
5.7MB
-
memory/1356-217-0x0000000003D00000-0x0000000003DFE000-memory.dmpFilesize
1016KB
-
memory/1356-89-0x0000000077CD0000-0x0000000077E50000-memory.dmpFilesize
1.5MB
-
memory/1356-57-0x0000000000000000-mapping.dmp
-
memory/1356-222-0x0000000077CD0000-0x0000000077E50000-memory.dmpFilesize
1.5MB
-
memory/1356-219-0x0000000074730000-0x0000000074CDB000-memory.dmpFilesize
5.7MB
-
memory/1384-160-0x00000000070A0000-0x000000000726A000-memory.dmpFilesize
1.8MB
-
memory/1456-66-0x0000000140000000-0x000000014033D000-memory.dmpFilesize
3.2MB
-
memory/1456-228-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1456-201-0x0000000001A80000-0x0000000001C4A000-memory.dmpFilesize
1.8MB
-
memory/1456-67-0x0000000140075238-mapping.dmp
-
memory/1456-69-0x0000000140000000-0x000000014033D000-memory.dmpFilesize
3.2MB
-
memory/1456-83-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1456-80-0x0000000140000000-0x000000014033D000-memory.dmpFilesize
3.2MB
-
memory/1456-75-0x00000000778D0000-0x00000000779EF000-memory.dmpFilesize
1.1MB
-
memory/1456-74-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1560-211-0x0000000000000000-mapping.dmp
-
memory/1624-225-0x00000000778D0000-0x00000000779EF000-memory.dmpFilesize
1.1MB
-
memory/1624-64-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1624-61-0x000007FEF3DE0000-0x000007FEF493D000-memory.dmpFilesize
11.4MB
-
memory/1624-65-0x00000000778D0000-0x00000000779EF000-memory.dmpFilesize
1.1MB
-
memory/1624-60-0x000007FEF4940000-0x000007FEF5363000-memory.dmpFilesize
10.1MB
-
memory/1624-63-0x00000000011B4000-0x00000000011B7000-memory.dmpFilesize
12KB
-
memory/1624-58-0x000007FEFC341000-0x000007FEFC343000-memory.dmpFilesize
8KB
-
memory/1624-72-0x0000000077AF0000-0x0000000077C99000-memory.dmpFilesize
1.7MB
-
memory/1624-73-0x00000000778D0000-0x00000000779EF000-memory.dmpFilesize
1.1MB
-
memory/1624-56-0x0000000000000000-mapping.dmp
-
memory/1624-71-0x00000000011BB000-0x00000000011DA000-memory.dmpFilesize
124KB
-
memory/1624-70-0x00000000011B4000-0x00000000011B7000-memory.dmpFilesize
12KB
-
memory/1684-54-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/1684-55-0x0000000000BF0000-0x0000000000E99000-memory.dmpFilesize
2.7MB
-
memory/1928-205-0x00000000010F0000-0x00000000012BA000-memory.dmpFilesize
1.8MB
-
memory/1928-206-0x0000000037B30000-0x0000000037B40000-memory.dmpFilesize
64KB