Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 22:00
Static task
static1
Behavioral task
behavioral1
Sample
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe
Resource
win10v2004-20220901-en
General
-
Target
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe
-
Size
408KB
-
MD5
ba0010c7b17f06f067014eb32d17cdf6
-
SHA1
ce1cf47d74c7b3aba3647ce3c5c5c7720644d223
-
SHA256
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f
-
SHA512
ef44a06184b00e9270aa4ff24e93781a16722be6f62de3b78ca716adc424d408358ea9c8e13c0ca5f2e24788baa40995f5f55274579cbc974f2d784a6fc638bd
-
SSDEEP
12288:jjxv2nebwy/Lzpc92s3mA0Imm1XSCT+rPK:jF+nuwy/e2s2A02RmK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\dataupdate.exe" 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe -
Executes dropped EXE 3 IoCs
Processes:
dataupdate.exedataupdate.exedataupdate.exepid process 1764 dataupdate.exe 3132 dataupdate.exe 5100 dataupdate.exe -
Processes:
resource yara_rule behavioral2/memory/2892-141-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2892-142-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2892-143-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2892-145-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2892-147-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2892-148-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2892-149-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5100-168-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5100-171-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5100-172-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5100-173-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5100-174-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5100-175-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5100-176-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\Documents\\MSDCSC\\dataupdate.exe" 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
dataupdate.exe879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dataupdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 dataupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exedataupdate.exedataupdate.exedescription pid process target process PID 4828 set thread context of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 set thread context of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1764 set thread context of 3132 1764 dataupdate.exe dataupdate.exe PID 3132 set thread context of 5100 3132 dataupdate.exe dataupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exedataupdate.exedataupdate.exedescription pid process Token: SeDebugPrivilege 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeIncreaseQuotaPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeSecurityPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeTakeOwnershipPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeLoadDriverPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeSystemProfilePrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeSystemtimePrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeProfSingleProcessPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeIncBasePriorityPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeCreatePagefilePrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeBackupPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeRestorePrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeShutdownPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeDebugPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeSystemEnvironmentPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeChangeNotifyPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeRemoteShutdownPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeUndockPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeManageVolumePrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeImpersonatePrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeCreateGlobalPrivilege 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: 33 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: 34 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: 35 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: 36 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe Token: SeDebugPrivilege 3132 dataupdate.exe Token: SeIncreaseQuotaPrivilege 5100 dataupdate.exe Token: SeSecurityPrivilege 5100 dataupdate.exe Token: SeTakeOwnershipPrivilege 5100 dataupdate.exe Token: SeLoadDriverPrivilege 5100 dataupdate.exe Token: SeSystemProfilePrivilege 5100 dataupdate.exe Token: SeSystemtimePrivilege 5100 dataupdate.exe Token: SeProfSingleProcessPrivilege 5100 dataupdate.exe Token: SeIncBasePriorityPrivilege 5100 dataupdate.exe Token: SeCreatePagefilePrivilege 5100 dataupdate.exe Token: SeBackupPrivilege 5100 dataupdate.exe Token: SeRestorePrivilege 5100 dataupdate.exe Token: SeShutdownPrivilege 5100 dataupdate.exe Token: SeDebugPrivilege 5100 dataupdate.exe Token: SeSystemEnvironmentPrivilege 5100 dataupdate.exe Token: SeChangeNotifyPrivilege 5100 dataupdate.exe Token: SeRemoteShutdownPrivilege 5100 dataupdate.exe Token: SeUndockPrivilege 5100 dataupdate.exe Token: SeManageVolumePrivilege 5100 dataupdate.exe Token: SeImpersonatePrivilege 5100 dataupdate.exe Token: SeCreateGlobalPrivilege 5100 dataupdate.exe Token: 33 5100 dataupdate.exe Token: 34 5100 dataupdate.exe Token: 35 5100 dataupdate.exe Token: 36 5100 dataupdate.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exedataupdate.exedataupdate.exepid process 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 1764 dataupdate.exe 3132 dataupdate.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exedataupdate.exedataupdate.exedescription pid process target process PID 4828 wrote to memory of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 4828 wrote to memory of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 4828 wrote to memory of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 4828 wrote to memory of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 4828 wrote to memory of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 4828 wrote to memory of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 4828 wrote to memory of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 4828 wrote to memory of 1916 4828 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 wrote to memory of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 wrote to memory of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 wrote to memory of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 wrote to memory of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 wrote to memory of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 wrote to memory of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 wrote to memory of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 1916 wrote to memory of 2892 1916 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe PID 2892 wrote to memory of 1764 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe dataupdate.exe PID 2892 wrote to memory of 1764 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe dataupdate.exe PID 2892 wrote to memory of 1764 2892 879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe dataupdate.exe PID 1764 wrote to memory of 3132 1764 dataupdate.exe dataupdate.exe PID 1764 wrote to memory of 3132 1764 dataupdate.exe dataupdate.exe PID 1764 wrote to memory of 3132 1764 dataupdate.exe dataupdate.exe PID 1764 wrote to memory of 3132 1764 dataupdate.exe dataupdate.exe PID 1764 wrote to memory of 3132 1764 dataupdate.exe dataupdate.exe PID 1764 wrote to memory of 3132 1764 dataupdate.exe dataupdate.exe PID 1764 wrote to memory of 3132 1764 dataupdate.exe dataupdate.exe PID 1764 wrote to memory of 3132 1764 dataupdate.exe dataupdate.exe PID 3132 wrote to memory of 5100 3132 dataupdate.exe dataupdate.exe PID 3132 wrote to memory of 5100 3132 dataupdate.exe dataupdate.exe PID 3132 wrote to memory of 5100 3132 dataupdate.exe dataupdate.exe PID 3132 wrote to memory of 5100 3132 dataupdate.exe dataupdate.exe PID 3132 wrote to memory of 5100 3132 dataupdate.exe dataupdate.exe PID 3132 wrote to memory of 5100 3132 dataupdate.exe dataupdate.exe PID 3132 wrote to memory of 5100 3132 dataupdate.exe dataupdate.exe PID 3132 wrote to memory of 5100 3132 dataupdate.exe dataupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe"C:\Users\Admin\AppData\Local\Temp\879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe"C:\Users\Admin\AppData\Local\Temp\879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe"C:\Users\Admin\AppData\Local\Temp\879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\dataupdate.exe"C:\Users\Admin\Documents\MSDCSC\dataupdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\dataupdate.exe"C:\Users\Admin\Documents\MSDCSC\dataupdate.exe"5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\dataupdate.exe"C:\Users\Admin\Documents\MSDCSC\dataupdate.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\dataupdate.exeFilesize
408KB
MD5ba0010c7b17f06f067014eb32d17cdf6
SHA1ce1cf47d74c7b3aba3647ce3c5c5c7720644d223
SHA256879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f
SHA512ef44a06184b00e9270aa4ff24e93781a16722be6f62de3b78ca716adc424d408358ea9c8e13c0ca5f2e24788baa40995f5f55274579cbc974f2d784a6fc638bd
-
C:\Users\Admin\Documents\MSDCSC\dataupdate.exeFilesize
408KB
MD5ba0010c7b17f06f067014eb32d17cdf6
SHA1ce1cf47d74c7b3aba3647ce3c5c5c7720644d223
SHA256879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f
SHA512ef44a06184b00e9270aa4ff24e93781a16722be6f62de3b78ca716adc424d408358ea9c8e13c0ca5f2e24788baa40995f5f55274579cbc974f2d784a6fc638bd
-
C:\Users\Admin\Documents\MSDCSC\dataupdate.exeFilesize
408KB
MD5ba0010c7b17f06f067014eb32d17cdf6
SHA1ce1cf47d74c7b3aba3647ce3c5c5c7720644d223
SHA256879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f
SHA512ef44a06184b00e9270aa4ff24e93781a16722be6f62de3b78ca716adc424d408358ea9c8e13c0ca5f2e24788baa40995f5f55274579cbc974f2d784a6fc638bd
-
C:\Users\Admin\Documents\MSDCSC\dataupdate.exeFilesize
408KB
MD5ba0010c7b17f06f067014eb32d17cdf6
SHA1ce1cf47d74c7b3aba3647ce3c5c5c7720644d223
SHA256879746e2b812857a8f9101eedf2ed86a66fb00c30d98254d4caf8bffe793a60f
SHA512ef44a06184b00e9270aa4ff24e93781a16722be6f62de3b78ca716adc424d408358ea9c8e13c0ca5f2e24788baa40995f5f55274579cbc974f2d784a6fc638bd
-
memory/1764-150-0x0000000000000000-mapping.dmp
-
memory/1916-135-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1916-146-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1916-134-0x0000000000000000-mapping.dmp
-
memory/1916-139-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2892-143-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2892-145-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2892-147-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2892-148-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2892-149-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2892-141-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2892-140-0x0000000000000000-mapping.dmp
-
memory/2892-142-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3132-155-0x0000000000000000-mapping.dmp
-
memory/3132-169-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/5100-161-0x0000000000000000-mapping.dmp
-
memory/5100-168-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5100-171-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5100-172-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5100-173-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5100-174-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5100-175-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5100-176-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB