Analysis
-
max time kernel
158s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 06:09
Behavioral task
behavioral1
Sample
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
Resource
win7-20220901-en
General
-
Target
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
-
Size
1.3MB
-
MD5
01151ab7fc3222021cbab67f27622e8a
-
SHA1
caf0c1ef61f2846fb527dcca0f58543c25bb7496
-
SHA256
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7
-
SHA512
4db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8
-
SSDEEP
24576:cxTAxn1eTrQj9JPc9H+XD6krOlfKtBX8y3xyh2h8Qr7Rdwm:cxO889J8MD6krOlfKtBXLz8Qr7Ram
Malware Config
Signatures
-
Processes:
hknswc.exe13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hknswc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe -
Executes dropped EXE 3 IoCs
Processes:
AppMgnt.exehknswc.exeAppMgnt.exepid process 224 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exeAppMgnt.exehknswc.exeAppMgnt.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation AppMgnt.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation hknswc.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation AppMgnt.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WScript.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 myip.dnsomatic.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exehknswc.exedescription pid process target process PID 3448 set thread context of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3156 set thread context of 1520 3156 hknswc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3596 schtasks.exe 2264 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exeAppMgnt.exehknswc.exeAppMgnt.exevbc.exepid process 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 224 AppMgnt.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 224 AppMgnt.exe 224 AppMgnt.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 224 AppMgnt.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 224 AppMgnt.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 224 AppMgnt.exe 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe 3156 hknswc.exe 3156 hknswc.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 4644 AppMgnt.exe 3156 hknswc.exe 4612 vbc.exe 4612 vbc.exe 4612 vbc.exe 4612 vbc.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe 3156 hknswc.exe 4644 AppMgnt.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exeAppMgnt.exehknswc.exeAppMgnt.exedescription pid process Token: SeDebugPrivilege 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe Token: SeDebugPrivilege 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe Token: SeDebugPrivilege 224 AppMgnt.exe Token: SeDebugPrivilege 3156 hknswc.exe Token: SeDebugPrivilege 3156 hknswc.exe Token: SeDebugPrivilege 4644 AppMgnt.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exeAppMgnt.exehknswc.exeAppMgnt.exevbc.exeWScript.execmd.exedescription pid process target process PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 4612 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe vbc.exe PID 3448 wrote to memory of 224 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe AppMgnt.exe PID 3448 wrote to memory of 224 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe AppMgnt.exe PID 3448 wrote to memory of 224 3448 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe AppMgnt.exe PID 224 wrote to memory of 3596 224 AppMgnt.exe schtasks.exe PID 224 wrote to memory of 3596 224 AppMgnt.exe schtasks.exe PID 224 wrote to memory of 3596 224 AppMgnt.exe schtasks.exe PID 224 wrote to memory of 3156 224 AppMgnt.exe hknswc.exe PID 224 wrote to memory of 3156 224 AppMgnt.exe hknswc.exe PID 224 wrote to memory of 3156 224 AppMgnt.exe hknswc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 1520 3156 hknswc.exe vbc.exe PID 3156 wrote to memory of 4644 3156 hknswc.exe AppMgnt.exe PID 3156 wrote to memory of 4644 3156 hknswc.exe AppMgnt.exe PID 3156 wrote to memory of 4644 3156 hknswc.exe AppMgnt.exe PID 4644 wrote to memory of 2264 4644 AppMgnt.exe schtasks.exe PID 4644 wrote to memory of 2264 4644 AppMgnt.exe schtasks.exe PID 4644 wrote to memory of 2264 4644 AppMgnt.exe schtasks.exe PID 4612 wrote to memory of 2012 4612 vbc.exe WScript.exe PID 4612 wrote to memory of 2012 4612 vbc.exe WScript.exe PID 4612 wrote to memory of 2012 4612 vbc.exe WScript.exe PID 2012 wrote to memory of 5020 2012 WScript.exe cmd.exe PID 2012 wrote to memory of 5020 2012 WScript.exe cmd.exe PID 2012 wrote to memory of 5020 2012 WScript.exe cmd.exe PID 5020 wrote to memory of 2516 5020 cmd.exe attrib.exe PID 5020 wrote to memory of 2516 5020 cmd.exe attrib.exe PID 5020 wrote to memory of 2516 5020 cmd.exe attrib.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exehknswc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hknswc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe"C:\Users\Admin\AppData\Local\Temp\13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe"1⤵
- UAC bypass
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\RealNetowrks5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgnt.exe.logFilesize
404B
MD515b6596d028baa2a113143d1828bcc36
SHA1f1be43126c4e765fe499718c388823d44bf1fef1
SHA256529f9fde2234067382b4c6fb8e5aee49d8a8b1b85c82b0bdae425fa2a0264f75
SHA512f2a6cb8498f596c7bf9178ea32a245dbb3657f43a179f378ce952ce5cb8580810cd67ef1efb623bcf6cd796d74e2c9b7bc42cb8665ead397546ce3b400181e83
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exeFilesize
13KB
MD579e47af9db3d7ba538de0083c4fa0f90
SHA1113e6053c02639704e764a04f907c8b764b51a7a
SHA2564862813a48c006477fd4ed1bb053b6dbda9b812de36f221b1337f03c84f0aac1
SHA512105476f74f137d8bb4e09c2dbb5eb72afda6aaadcec8ddb0f6d4cc5aca3674f88f6ca9db36d867c036c9deb111ef55a6b1b21be4838e6404770d03f32377e9aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exeFilesize
13KB
MD579e47af9db3d7ba538de0083c4fa0f90
SHA1113e6053c02639704e764a04f907c8b764b51a7a
SHA2564862813a48c006477fd4ed1bb053b6dbda9b812de36f221b1337f03c84f0aac1
SHA512105476f74f137d8bb4e09c2dbb5eb72afda6aaadcec8ddb0f6d4cc5aca3674f88f6ca9db36d867c036c9deb111ef55a6b1b21be4838e6404770d03f32377e9aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exeFilesize
13KB
MD579e47af9db3d7ba538de0083c4fa0f90
SHA1113e6053c02639704e764a04f907c8b764b51a7a
SHA2564862813a48c006477fd4ed1bb053b6dbda9b812de36f221b1337f03c84f0aac1
SHA512105476f74f137d8bb4e09c2dbb5eb72afda6aaadcec8ddb0f6d4cc5aca3674f88f6ca9db36d867c036c9deb111ef55a6b1b21be4838e6404770d03f32377e9aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exeFilesize
13KB
MD579e47af9db3d7ba538de0083c4fa0f90
SHA1113e6053c02639704e764a04f907c8b764b51a7a
SHA2564862813a48c006477fd4ed1bb053b6dbda9b812de36f221b1337f03c84f0aac1
SHA512105476f74f137d8bb4e09c2dbb5eb72afda6aaadcec8ddb0f6d4cc5aca3674f88f6ca9db36d867c036c9deb111ef55a6b1b21be4838e6404770d03f32377e9aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exeFilesize
1.3MB
MD501151ab7fc3222021cbab67f27622e8a
SHA1caf0c1ef61f2846fb527dcca0f58543c25bb7496
SHA25613685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7
SHA5124db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exeFilesize
1.3MB
MD501151ab7fc3222021cbab67f27622e8a
SHA1caf0c1ef61f2846fb527dcca0f58543c25bb7496
SHA25613685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7
SHA5124db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8
-
C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.batFilesize
56B
MD54a55a5a5ca857637659220aeb1a91d92
SHA14c73b21f348ed194dec47bcb0c3a83071be864e8
SHA2560aa9d5a6e2d224e57d44bd4267c6d98479e25b052c878e579cc5d2facbcc601f
SHA512d7ea2948e2c5f60675c08d6a8308cd7c449e1efaef818a24bf0481b8f5a45412a04b5fd580035127bcd052cc754fb948dc947989528ee9a52ce64457ab2eac51
-
C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.vbsFilesize
169B
MD53d987aec0fa7269c334d9d52676f7ae6
SHA1c912e179bfcad6b0d10061cfe4eb84bfa069a5f5
SHA256757a187de0343591d7d49a2fa71ef8a8f8325f61df8f2bff905c36d599bdd549
SHA5128ff828024cfdb0db4bc0474ce4b5f00e691c0d9c4193ebd67bb57b4ba7907690e688c6c0a78863a8ece6e244ef21e89c0aa1b7f073146fad0a2b0e59beb58e63
-
memory/224-137-0x0000000000000000-mapping.dmp
-
memory/224-141-0x0000000075420000-0x00000000759D1000-memory.dmpFilesize
5.7MB
-
memory/224-146-0x0000000075420000-0x00000000759D1000-memory.dmpFilesize
5.7MB
-
memory/1520-149-0x0000000000000000-mapping.dmp
-
memory/1520-151-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/1520-152-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/1520-153-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/2012-160-0x0000000000000000-mapping.dmp
-
memory/2264-159-0x0000000000000000-mapping.dmp
-
memory/2516-164-0x0000000000000000-mapping.dmp
-
memory/3156-144-0x0000000000000000-mapping.dmp
-
memory/3156-147-0x0000000075420000-0x00000000759D1000-memory.dmpFilesize
5.7MB
-
memory/3156-166-0x0000000075420000-0x00000000759D1000-memory.dmpFilesize
5.7MB
-
memory/3448-148-0x0000000075420000-0x00000000759D1000-memory.dmpFilesize
5.7MB
-
memory/3448-132-0x0000000075420000-0x00000000759D1000-memory.dmpFilesize
5.7MB
-
memory/3596-143-0x0000000000000000-mapping.dmp
-
memory/4612-140-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4612-136-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4612-135-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4612-134-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4612-165-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4612-133-0x0000000000000000-mapping.dmp
-
memory/4644-154-0x0000000000000000-mapping.dmp
-
memory/4644-158-0x0000000075420000-0x00000000759D1000-memory.dmpFilesize
5.7MB
-
memory/4644-167-0x0000000075420000-0x00000000759D1000-memory.dmpFilesize
5.7MB
-
memory/5020-163-0x0000000000000000-mapping.dmp