Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe
Resource
win7-20220901-en
General
-
Target
eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe
-
Size
1.5MB
-
MD5
ce542fe492754f16876fa41ad555212c
-
SHA1
78fef1b76ec6cb34359e01987ff02cc463dda70a
-
SHA256
eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3
-
SHA512
5886acbb05b1dae404068ab26277f0c6f2d5d320ef7f4bd42c4886b61bbdec2c1215addda9a829dd2d93dd5d002765c4ca4b1396757f86057aa3ebe0eadd9d84
-
SSDEEP
24576:viZDrjF7kaA2THUVw0OdguwVxR4h2hlbVpPnxzyj7ngeWMBr6rQs89roc5m:6ZrJzTTHoOGplaepQngebd/9Mb
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/368-138-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/368-138-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/368-138-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
MyPC Backup.exeWindows Update.exeMyPC Backup.exeWindows Update.exepid process 3632 MyPC Backup.exe 2400 Windows Update.exe 320 MyPC Backup.exe 432 Windows Update.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exeeda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exeWindows Update.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 whatismyipaddress.com 37 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exeWindows Update.exeWindows Update.exedescription pid process target process PID 4436 set thread context of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 2400 set thread context of 432 2400 Windows Update.exe Windows Update.exe PID 432 set thread context of 4844 432 Windows Update.exe vbc.exe -
Drops file in Windows directory 5 IoCs
Processes:
eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exeWindows Update.exedw20.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new Windows Update.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new Windows Update.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3636 3632 WerFault.exe MyPC Backup.exe 1420 320 WerFault.exe MyPC Backup.exe 5076 4844 WerFault.exe vbc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Update.exepid process 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe 432 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Windows Update.exedw20.exedescription pid process Token: SeDebugPrivilege 432 Windows Update.exe Token: SeRestorePrivilege 1876 dw20.exe Token: SeBackupPrivilege 1876 dw20.exe Token: SeBackupPrivilege 1876 dw20.exe Token: SeBackupPrivilege 1876 dw20.exe Token: SeBackupPrivilege 1876 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 432 Windows Update.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exeeda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exeWindows Update.exeWindows Update.exedescription pid process target process PID 4436 wrote to memory of 3632 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe MyPC Backup.exe PID 4436 wrote to memory of 3632 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe MyPC Backup.exe PID 4436 wrote to memory of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 4436 wrote to memory of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 4436 wrote to memory of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 4436 wrote to memory of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 4436 wrote to memory of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 4436 wrote to memory of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 4436 wrote to memory of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 4436 wrote to memory of 368 4436 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe PID 368 wrote to memory of 2400 368 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe Windows Update.exe PID 368 wrote to memory of 2400 368 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe Windows Update.exe PID 368 wrote to memory of 2400 368 eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe Windows Update.exe PID 2400 wrote to memory of 320 2400 Windows Update.exe MyPC Backup.exe PID 2400 wrote to memory of 320 2400 Windows Update.exe MyPC Backup.exe PID 2400 wrote to memory of 432 2400 Windows Update.exe Windows Update.exe PID 2400 wrote to memory of 432 2400 Windows Update.exe Windows Update.exe PID 2400 wrote to memory of 432 2400 Windows Update.exe Windows Update.exe PID 2400 wrote to memory of 432 2400 Windows Update.exe Windows Update.exe PID 2400 wrote to memory of 432 2400 Windows Update.exe Windows Update.exe PID 2400 wrote to memory of 432 2400 Windows Update.exe Windows Update.exe PID 2400 wrote to memory of 432 2400 Windows Update.exe Windows Update.exe PID 2400 wrote to memory of 432 2400 Windows Update.exe Windows Update.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 4844 432 Windows Update.exe vbc.exe PID 432 wrote to memory of 1876 432 Windows Update.exe dw20.exe PID 432 wrote to memory of 1876 432 Windows Update.exe dw20.exe PID 432 wrote to memory of 1876 432 Windows Update.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe"C:\Users\Admin\AppData\Local\Temp\eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\MyPC Backup.exe"C:\Users\Admin\AppData\Local\Temp\MyPC Backup.exe"2⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3632 -s 8123⤵
- Program crash
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe"C:\Users\Admin\AppData\Local\Temp\eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\MyPC Backup.exe"C:\Users\Admin\AppData\Local\Temp\MyPC Backup.exe"4⤵
- Executes dropped EXE
PID:320 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 320 -s 7925⤵
- Program crash
PID:1420 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1886⤵
- Program crash
PID:5076 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 10525⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3632 -ip 36321⤵PID:2100
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 320 -ip 3201⤵PID:3332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4844 -ip 48441⤵PID:4288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3.exe.logFilesize
411B
MD5e2eedda50223a58e2bbe18223c9ceff4
SHA172653d8b29e2fbd683be979c4e0903e376352c46
SHA2567e1b081fe3a560b0fbc63fc97acdf2e42aaa7d291f0bdca4c3a527a19979f060
SHA512bbdd82180301cfe8b6cc4b03bef68e4587952e6d9428ac28e25f6f21afa516ebc425f80fbc5bede4240260f055423f647c68509674f4add73a6d582e5f39891a
-
C:\Users\Admin\AppData\Local\Temp\MyPC Backup.exeFilesize
819KB
MD567488f4edb19da71e994a9d63850287c
SHA1bafc87aa0d99c347ea00a77bb09ce78915df75e5
SHA256aa4d6f21bdbcdb3b1d2e366b43bc9307f8e6fe15cb783c6485eff626982a0999
SHA51246b712183103030603c87ceca97b9d55f03ac1633bce2047ec6b218c8fbeae06bee290f3d54040e6fc4f4129e489961ba4f62348e266354de873661d2220782d
-
C:\Users\Admin\AppData\Local\Temp\MyPC Backup.exeFilesize
819KB
MD567488f4edb19da71e994a9d63850287c
SHA1bafc87aa0d99c347ea00a77bb09ce78915df75e5
SHA256aa4d6f21bdbcdb3b1d2e366b43bc9307f8e6fe15cb783c6485eff626982a0999
SHA51246b712183103030603c87ceca97b9d55f03ac1633bce2047ec6b218c8fbeae06bee290f3d54040e6fc4f4129e489961ba4f62348e266354de873661d2220782d
-
C:\Users\Admin\AppData\Local\Temp\MyPC Backup.exeFilesize
819KB
MD567488f4edb19da71e994a9d63850287c
SHA1bafc87aa0d99c347ea00a77bb09ce78915df75e5
SHA256aa4d6f21bdbcdb3b1d2e366b43bc9307f8e6fe15cb783c6485eff626982a0999
SHA51246b712183103030603c87ceca97b9d55f03ac1633bce2047ec6b218c8fbeae06bee290f3d54040e6fc4f4129e489961ba4f62348e266354de873661d2220782d
-
C:\Users\Admin\AppData\Local\Temp\MyPC Backup.exeFilesize
819KB
MD567488f4edb19da71e994a9d63850287c
SHA1bafc87aa0d99c347ea00a77bb09ce78915df75e5
SHA256aa4d6f21bdbcdb3b1d2e366b43bc9307f8e6fe15cb783c6485eff626982a0999
SHA51246b712183103030603c87ceca97b9d55f03ac1633bce2047ec6b218c8fbeae06bee290f3d54040e6fc4f4129e489961ba4f62348e266354de873661d2220782d
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5a570063ef37acbdb70ed7655d1ebc3fd
SHA16804f8b30bc8075fcc49a5d2f15e95e1585e6e41
SHA2560cd67e5836caae2c4b766e822fc37694439063f3ed01afece3770a57953a4b5b
SHA512b2f0b4d1c642bba3de6fd9dfbbd7d5fe56eadbc237d53cb156dd6abd2bf4fdd81e133b440d2200c23eaf9f6ea12ae88bf8b9fccbff13981ed844c31d898eeecf
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.5MB
MD5ce542fe492754f16876fa41ad555212c
SHA178fef1b76ec6cb34359e01987ff02cc463dda70a
SHA256eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3
SHA5125886acbb05b1dae404068ab26277f0c6f2d5d320ef7f4bd42c4886b61bbdec2c1215addda9a829dd2d93dd5d002765c4ca4b1396757f86057aa3ebe0eadd9d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.5MB
MD5ce542fe492754f16876fa41ad555212c
SHA178fef1b76ec6cb34359e01987ff02cc463dda70a
SHA256eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3
SHA5125886acbb05b1dae404068ab26277f0c6f2d5d320ef7f4bd42c4886b61bbdec2c1215addda9a829dd2d93dd5d002765c4ca4b1396757f86057aa3ebe0eadd9d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.5MB
MD5ce542fe492754f16876fa41ad555212c
SHA178fef1b76ec6cb34359e01987ff02cc463dda70a
SHA256eda7b859444c7e2308b041a2bf6401d8a3e1e301e7fb8ba3062e29057559bad3
SHA5125886acbb05b1dae404068ab26277f0c6f2d5d320ef7f4bd42c4886b61bbdec2c1215addda9a829dd2d93dd5d002765c4ca4b1396757f86057aa3ebe0eadd9d84
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchFilesize
514B
MD5b3b0516b6267cac8014bc849ad8b786c
SHA14bc3dc879dda0c8353668c0620ea0765130c11bf
SHA256c7b7a4d28f6776841c0f8287d09e6873a30cbfe173c8d212b259850125823198
SHA512d30bbdaade02a87c6c4398c19523336124339015f0043ba3fa529eea8934adcaa2840af37c0976f44af4b76463b521303b46c6cf3088be8871401ecd89038cb3
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchFilesize
514B
MD5b3b0516b6267cac8014bc849ad8b786c
SHA14bc3dc879dda0c8353668c0620ea0765130c11bf
SHA256c7b7a4d28f6776841c0f8287d09e6873a30cbfe173c8d212b259850125823198
SHA512d30bbdaade02a87c6c4398c19523336124339015f0043ba3fa529eea8934adcaa2840af37c0976f44af4b76463b521303b46c6cf3088be8871401ecd89038cb3
-
memory/320-159-0x00007FF87D9B0000-0x00007FF87E471000-memory.dmpFilesize
10.8MB
-
memory/320-153-0x0000000000000000-mapping.dmp
-
memory/320-162-0x00007FF87D9B0000-0x00007FF87E471000-memory.dmpFilesize
10.8MB
-
memory/368-151-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/368-142-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/368-144-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/368-138-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/368-137-0x0000000000000000-mapping.dmp
-
memory/432-160-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/432-156-0x0000000000000000-mapping.dmp
-
memory/432-170-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/432-164-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1876-169-0x0000000000000000-mapping.dmp
-
memory/2400-161-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/2400-152-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/2400-145-0x0000000000000000-mapping.dmp
-
memory/3632-139-0x0000000000440000-0x0000000000510000-memory.dmpFilesize
832KB
-
memory/3632-134-0x0000000000000000-mapping.dmp
-
memory/3632-141-0x00007FF87DA60000-0x00007FF87E521000-memory.dmpFilesize
10.8MB
-
memory/3632-143-0x00007FF87DA60000-0x00007FF87E521000-memory.dmpFilesize
10.8MB
-
memory/4436-140-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4436-132-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4436-133-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4844-165-0x0000000000000000-mapping.dmp
-
memory/4844-166-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB