Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 13:48
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20221111-en
General
-
Target
tmp.exe
-
Size
8KB
-
MD5
9ce72ed428e9196e4e47d6977dd91646
-
SHA1
b52204e0f6b40129d3ed22da0f4f9e230ef04362
-
SHA256
3d106d9e8d65c6f681f07ad74f99cf196eb4d9553eebab2d7448ffe65ac15d36
-
SHA512
663a2cae6ddb9e92d76ee664fe960915da177b74c2b1d06ea66370626bee52467c99f7d071d331d0bb4b988f46cd67ab413923246d403a6112918c96f8fb8096
-
SSDEEP
192:oAU3/5oNY99v2YuYsjPKmWBWQShNWdhLdW7:+Rr9t2Y6PKmKOWPdW
Malware Config
Extracted
C:\FILE RECOVERY.txt
mallox.resurrection@onionmail.org
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RegAsm.exedescription ioc process File opened (read-only) \??\G: RegAsm.exe File opened (read-only) \??\N: RegAsm.exe File opened (read-only) \??\O: RegAsm.exe File opened (read-only) \??\Z: RegAsm.exe File opened (read-only) \??\B: RegAsm.exe File opened (read-only) \??\I: RegAsm.exe File opened (read-only) \??\Q: RegAsm.exe File opened (read-only) \??\S: RegAsm.exe File opened (read-only) \??\U: RegAsm.exe File opened (read-only) \??\V: RegAsm.exe File opened (read-only) \??\Y: RegAsm.exe File opened (read-only) \??\E: RegAsm.exe File opened (read-only) \??\K: RegAsm.exe File opened (read-only) \??\M: RegAsm.exe File opened (read-only) \??\T: RegAsm.exe File opened (read-only) \??\X: RegAsm.exe File opened (read-only) \??\H: RegAsm.exe File opened (read-only) \??\F: RegAsm.exe File opened (read-only) \??\J: RegAsm.exe File opened (read-only) \??\L: RegAsm.exe File opened (read-only) \??\P: RegAsm.exe File opened (read-only) \??\R: RegAsm.exe File opened (read-only) \??\W: RegAsm.exe File opened (read-only) \??\A: RegAsm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 4088 set thread context of 2696 4088 tmp.exe RegAsm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare.HxS RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\FILE RECOVERY.txt RegAsm.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ar-ae\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-unplated_contrast-white.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main-selector.css RegAsm.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-150.png RegAsm.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsLargeTile.scale-100.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64_altform-unplated.png RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js RegAsm.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\FILE RECOVERY.txt RegAsm.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-sl\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-100.png RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-125.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-100.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\11.rsrc RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_tw_135x40.svg RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-125.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_contrast-black.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-white.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30.png RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML RegAsm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40_altform-unplated.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2c6c9842.pri RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar RegAsm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo RegAsm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlInnerCircleHover.png RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\ui-strings.js RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Cyrl-BA.pak RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-32_altform-unplated_contrast-black.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-lightunplated.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUI.xaml RegAsm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated_contrast-high.png RegAsm.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\FILE RECOVERY.txt RegAsm.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\FILE RECOVERY.txt RegAsm.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\jfxrt.jar RegAsm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png RegAsm.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2212 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1120 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 2696 RegAsm.exe 2696 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
tmp.exeRegAsm.exevssvc.exedescription pid process Token: SeDebugPrivilege 4088 tmp.exe Token: SeTakeOwnershipPrivilege 2696 RegAsm.exe Token: SeDebugPrivilege 2696 RegAsm.exe Token: SeBackupPrivilege 2252 vssvc.exe Token: SeRestorePrivilege 2252 vssvc.exe Token: SeAuditPrivilege 2252 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
tmp.exeRegAsm.execmd.exedescription pid process target process PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 4088 wrote to memory of 2696 4088 tmp.exe RegAsm.exe PID 2696 wrote to memory of 1120 2696 RegAsm.exe vssadmin.exe PID 2696 wrote to memory of 1120 2696 RegAsm.exe vssadmin.exe PID 2696 wrote to memory of 2300 2696 RegAsm.exe cmd.exe PID 2696 wrote to memory of 2300 2696 RegAsm.exe cmd.exe PID 2696 wrote to memory of 2300 2696 RegAsm.exe cmd.exe PID 2696 wrote to memory of 2284 2696 RegAsm.exe cmd.exe PID 2696 wrote to memory of 2284 2696 RegAsm.exe cmd.exe PID 2696 wrote to memory of 2284 2696 RegAsm.exe cmd.exe PID 2696 wrote to memory of 3384 2696 RegAsm.exe cmd.exe PID 2696 wrote to memory of 3384 2696 RegAsm.exe cmd.exe PID 2696 wrote to memory of 3384 2696 RegAsm.exe cmd.exe PID 2284 wrote to memory of 2212 2284 cmd.exe sc.exe PID 2284 wrote to memory of 2212 2284 cmd.exe sc.exe PID 2284 wrote to memory of 2212 2284 cmd.exe sc.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-139-0x0000000000000000-mapping.dmp
-
memory/2212-144-0x0000000000000000-mapping.dmp
-
memory/2284-141-0x0000000000000000-mapping.dmp
-
memory/2300-140-0x0000000000000000-mapping.dmp
-
memory/2696-135-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2696-137-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2696-136-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2696-134-0x0000000000000000-mapping.dmp
-
memory/2696-143-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2696-145-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3384-142-0x0000000000000000-mapping.dmp
-
memory/4088-132-0x0000000000390000-0x0000000000398000-memory.dmpFilesize
32KB
-
memory/4088-133-0x0000000005C80000-0x0000000005CA2000-memory.dmpFilesize
136KB