Analysis

  • max time kernel
    182s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 00:08

General

  • Target

    7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll

  • Size

    541KB

  • MD5

    c12eff8d72d6a7d0bccd4c3947ba1271

  • SHA1

    351fee49a5207d1f16ddc036294b74cc98f06690

  • SHA256

    7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736

  • SHA512

    314402d330f0c01b131fcc78287472ee496120c9ba526b87438908fd85000a771ebb11386392bf6ff2fba8c3a08179e6cf9c8a7b50b10dd4d7cb07dc1de81c37

  • SSDEEP

    12288:gKXAyRw6k2wnnA9UhcOsyj/kidgR6ncbGUTLyEud6p2Qh5zb:6yRw6k20WU6yAp6cV3txh5zb

Malware Config

Signatures

  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.java.com/pt_BR/
          4⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4792
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7fff3b2a46f8,0x7fff3b2a4708,0x7fff3b2a4718
            5⤵
              PID:4840
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
              5⤵
                PID:4696
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2340
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
                5⤵
                  PID:2016
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
                  5⤵
                    PID:4640
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
                    5⤵
                      PID:5104
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5208 /prefetch:8
                      5⤵
                        PID:3136
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
                        5⤵
                          PID:2956
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
                          5⤵
                            PID:4312
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
                            5⤵
                              PID:1580
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
                              5⤵
                                PID:4968
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6108 /prefetch:8
                                5⤵
                                  PID:1876
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3136 /prefetch:2
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4712
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c call C:\Users\Admin\AppData\Local\Temp\YYYY.bat
                                4⤵
                                • Checks computer location settings
                                • Modifies registry class
                                PID:1464
                                • C:\Windows\SysWOW64\control.exe
                                  "C:\Windows\System32\control.exe" "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
                                  5⤵
                                    PID:3712
                                    • C:\Windows\SysWOW64\rundll32.exe
                                      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
                                      6⤵
                                      • Loads dropped DLL
                                      • Suspicious use of SetThreadContext
                                      PID:2480
                                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -embedding
                                        7⤵
                                        • Drops startup file
                                        • Adds Run key to start application
                                        • Suspicious use of SetThreadContext
                                        PID:2272
                                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                          "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
                                          8⤵
                                            PID:3472
                                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                            "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
                                            8⤵
                                              PID:3856
                                          • C:\Windows\system32\RunDll32.exe
                                            C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
                                            7⤵
                                              PID:4512
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
                                                8⤵
                                                • Loads dropped DLL
                                                PID:1236
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3768

                                  Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F

                                    Filesize

                                    1KB

                                    MD5

                                    4d3e00939da45025c373c79a3e4ac5e2

                                    SHA1

                                    358f285f6f1523d96f5c4dfc079da75ba92e7f0c

                                    SHA256

                                    6d695856b73d7c18d9fc6412ea8cafc1e28c94b987ab953ed73f4abc406a125d

                                    SHA512

                                    a8fd55dfd9fbf86c4014ed779bec5d976ef64abe0de27ec7e6df9ace74a4eecd6716c754f3a054e8a69c67151fdafe98cf53165744f6bfbd1feca2077167b8e4

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

                                    Filesize

                                    1KB

                                    MD5

                                    b7762ec3e81bf53197c928e4b9d30306

                                    SHA1

                                    aed7e5625ca24b4b94dd48b0557d7d1182f2ea18

                                    SHA256

                                    2d1175287d345c620e453f4396b6819eec0c92d0375446fb6fc64b1abe5db87f

                                    SHA512

                                    71a9e1d2274af71ef354921b79728cf15f1a8aa7860216f9999a686ccdf96278f7c8e1bc7c9acc3ac4793c1acd336596c4689ad743dac87a1556a6e14d688640

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

                                    Filesize

                                    1KB

                                    MD5

                                    417e4ce0f5afe058df975f4b3707c05b

                                    SHA1

                                    fb0373c13708b5792a26823a06c66c225c0f9c4e

                                    SHA256

                                    8d5bcbcc20ab939ae7cb3b4cd03d6ffe3217723c8e58953d9885a01df0b67440

                                    SHA512

                                    0e0f0ec224062dae2629ba485072670efa3b1f71225cb0a9c0180c7c3ac14b0cdbdd0621178f648733e0abf3db89694edaa61a8056fc94aabacbfcbab535c61f

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F

                                    Filesize

                                    442B

                                    MD5

                                    a6e72cd7f7cd8929860a64f63b7673cf

                                    SHA1

                                    949aea94b41ad203635422b6ee8d847ba97c1ec1

                                    SHA256

                                    9c0271ee2250169c9b637853a43210a327e5d4a46a97410d98edfa1439cba275

                                    SHA512

                                    96f1a192aa143addb85dd728a89cc9a3556d171a7615f82125d91986fbd8ac354c62a51847f08615ba8be48e83a7fd773e7680dcbb2d57c6e6d0ae2b7d628e97

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

                                    Filesize

                                    458B

                                    MD5

                                    2a0e4b8aa57dc5bfa5f47aae6461aa00

                                    SHA1

                                    1dcf9a53763303073b980423cfff478bd5010074

                                    SHA256

                                    a82bfd6c67da4f8e736e0dd37627de34881dcbb6ff5d5fcaf10843234c62dea4

                                    SHA512

                                    ae1e4e847c7cb522f56d8ca859f273d98bfe2e25c88483f136358e87233c42208b122d215e19ba842c9a88a6c0ed4452a328dac7a0a46e9cf7d91a2b84e6a700

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

                                    Filesize

                                    432B

                                    MD5

                                    155ed03ba0f68f2623df5a31e8890642

                                    SHA1

                                    42b915ca83a2f9ce7e510fe0b1ce632290f4c933

                                    SHA256

                                    40627a825e98d9a87cbc23db6769144c9faeb553401215e006ffdadc1b3b2a80

                                    SHA512

                                    662473a902c57dc355949008e419be59baca5728f72353b1fa39e5492350135b6ade9e5cafd7d67709af21bf85f084d0530d6ed3f17dcb26228f64012e350563

                                  • C:\Users\Admin\AppData\Local\Temp\YYYY.bat

                                    Filesize

                                    186B

                                    MD5

                                    ed5d0dd1e636b46c029431fe1b22c177

                                    SHA1

                                    8730dbda5b02b208025efc9729078fd922916244

                                    SHA256

                                    19aa3105126cc8c82f49a43b611d43ca5c86e2a23cbd924cf43f0b58f6786eba

                                    SHA512

                                    ac5a61fed23e6c7455059ff959e32f9d648fd830fc5d1febdbc8b4907db7e1bb8bb73013ec1fd71dc3ca506598b9a591342e27f6d8e1884af414d3efda256526

                                  • C:\Users\Admin\AppData\Local\Temp\image.gif

                                    Filesize

                                    1KB

                                    MD5

                                    efed2d96aa5344910603f3538edbea7e

                                    SHA1

                                    c1988553afe101e4d6cbdb2901439ad01ddf4640

                                    SHA256

                                    7c4ccaca19175775f6fbeac19e6d6bb0497c40e76a774e5dfa481e3ccc66aed5

                                    SHA512

                                    b324b4e62b7f6f4334c06d40d9855bb602812be14fe41040572addbcf9a51a4a227bd63ef614242ecb15ebe89aa9304146710e4bc129b46e4a453b2b794e42ee

                                  • C:\Users\Admin\Microsoft\WindowsUpdate\em4.jmp

                                    Filesize

                                    8.2MB

                                    MD5

                                    066c74a4c54e35a80beaf295cf8d460b

                                    SHA1

                                    46545679ad7e5acdc573d23fe3bcfea93bbbb2c3

                                    SHA256

                                    5ef54ab34b9140e528e64babe53d7b0938440a8c9bba619e9802b5e50d724898

                                    SHA512

                                    2bc7e62a21b91cc8ed7f6a3d91dad20bae9f1f45e0b9af0931fe538e4a232bc14225164b13fa67f4f8bfede907067d2f7c772baec8722826a0382ccbe8b40c3b

                                  • C:\Users\Admin\Microsoft\WindowsUpdate\em5.jmp

                                    Filesize

                                    1.1MB

                                    MD5

                                    0a9e1f77c45cca70272b33865de7936e

                                    SHA1

                                    a5795ef4bc0b83571b7a5b5ddc5d7255451b8948

                                    SHA256

                                    7eb2b0e0e856828b2b2253377d87b03657492e4cfab23450f9aaa078c743da5c

                                    SHA512

                                    3e3eaf7708c1d8b511d86c8081baec275d3aa90ee0e34c4addf5fe1447642371910805fca9dd9245e89bb717d7f61a0b2b9c8c6d365e24281963d51ca63db371

                                  • C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl

                                    Filesize

                                    1.2MB

                                    MD5

                                    9386510028d854a5241c293a16cbaf90

                                    SHA1

                                    7671438b4a84e99efc0b80a036ebef834318d575

                                    SHA256

                                    bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

                                    SHA512

                                    af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

                                  • C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl

                                    Filesize

                                    1.2MB

                                    MD5

                                    9386510028d854a5241c293a16cbaf90

                                    SHA1

                                    7671438b4a84e99efc0b80a036ebef834318d575

                                    SHA256

                                    bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

                                    SHA512

                                    af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

                                  • C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl

                                    Filesize

                                    1.2MB

                                    MD5

                                    9386510028d854a5241c293a16cbaf90

                                    SHA1

                                    7671438b4a84e99efc0b80a036ebef834318d575

                                    SHA256

                                    bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

                                    SHA512

                                    af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

                                  • \??\pipe\LOCAL\crashpad_4792_TUDHVXRDDWXGPYCW

                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  • memory/1236-172-0x000000005FF40000-0x00000000601FD000-memory.dmp

                                    Filesize

                                    2.7MB

                                  • memory/1236-168-0x0000000000000000-mapping.dmp

                                  • memory/1236-170-0x000000005FF40000-0x00000000601FD000-memory.dmp

                                    Filesize

                                    2.7MB

                                  • memory/1464-155-0x0000000000000000-mapping.dmp

                                  • memory/1580-182-0x0000000000000000-mapping.dmp

                                  • memory/1876-186-0x0000000000000000-mapping.dmp

                                  • memory/2016-148-0x0000000000000000-mapping.dmp

                                  • memory/2340-145-0x0000000000000000-mapping.dmp

                                  • memory/2480-162-0x000000005FF40000-0x00000000601FD000-memory.dmp

                                    Filesize

                                    2.7MB

                                  • memory/2480-164-0x000000005FF40000-0x00000000601FD000-memory.dmp

                                    Filesize

                                    2.7MB

                                  • memory/2480-160-0x0000000000000000-mapping.dmp

                                  • memory/2828-132-0x0000000000000000-mapping.dmp

                                  • memory/2828-140-0x0000000005F20000-0x000000000602D000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2828-133-0x0000000005F20000-0x000000000602D000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2956-166-0x0000000000000000-mapping.dmp

                                  • memory/3040-157-0x0000000008C60000-0x0000000008CBF000-memory.dmp

                                    Filesize

                                    380KB

                                  • memory/3040-139-0x0000000008C60000-0x0000000008CBF000-memory.dmp

                                    Filesize

                                    380KB

                                  • memory/3040-137-0x0000000008C60000-0x0000000008CBF000-memory.dmp

                                    Filesize

                                    380KB

                                  • memory/3040-136-0x0000000008C60000-0x0000000008CBF000-memory.dmp

                                    Filesize

                                    380KB

                                  • memory/3040-135-0x0000000008C60000-0x0000000008CBF000-memory.dmp

                                    Filesize

                                    380KB

                                  • memory/3040-134-0x0000000000000000-mapping.dmp

                                  • memory/3136-154-0x0000000000000000-mapping.dmp

                                  • memory/3712-159-0x0000000000000000-mapping.dmp

                                  • memory/4312-180-0x0000000000000000-mapping.dmp

                                  • memory/4512-167-0x0000000000000000-mapping.dmp

                                  • memory/4640-150-0x0000000000000000-mapping.dmp

                                  • memory/4696-144-0x0000000000000000-mapping.dmp

                                  • memory/4712-187-0x0000000000000000-mapping.dmp

                                  • memory/4792-141-0x0000000000000000-mapping.dmp

                                  • memory/4840-142-0x0000000000000000-mapping.dmp

                                  • memory/4968-184-0x0000000000000000-mapping.dmp

                                  • memory/5104-152-0x0000000000000000-mapping.dmp