Resubmissions
12-04-2024 13:32
240412-qtgfpsag84 812-04-2024 13:32
240412-qtc4aaag83 812-04-2024 13:32
240412-qtcshsag82 812-04-2024 13:32
240412-qtb6zsag79 812-04-2024 13:32
240412-qtbkfsdh4s 809-04-2024 05:34
240409-f9mmjsbc9t 809-04-2024 05:33
240409-f9bkaabc8w 809-04-2024 05:33
240409-f86n2abc71 809-04-2024 05:33
240409-f8wh3afh27 801-02-2024 11:29
240201-nlq9tsebck 10Analysis
-
max time kernel
1170s -
max time network
1172s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
12-04-2024 13:32
General
-
Target
svchost_dump_SCY - Copy.exe
-
Size
5.2MB
-
MD5
5fd3d21a968f4b8a1577b5405ab1c36a
-
SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
-
SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
-
SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
SSDEEP
98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 8 IoCs
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 17 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\~tl29FF.tmpC:\Users\Admin\AppData\Local\Temp\~tl29FF.tmp3⤵
- Executes dropped EXE
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\~tl9E6C.tmpC:\Windows\TEMP\~tl9E6C.tmp2⤵
- Executes dropped EXE
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\~tl1D82.tmpC:\Windows\TEMP\~tl1D82.tmp2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5781da0576417bf414dc558e5a315e2be
SHA1215451c1e370be595f1c389f587efeaa93108b4c
SHA25641a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA51224e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rddxvons.gwt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\~tl29FF.tmpFilesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensusFilesize
2.7MB
MD527acfbf94480631e547b5cb508d9d4fb
SHA1f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c
SHA2560fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e
SHA512902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.newFilesize
8.9MB
MD5a8dad5ba64b75cd3547972d00e8e5354
SHA12b6c88f73ba0e4415dd85da5c731246a112be4d4
SHA2567c1abd25f3ac1903ff14ce0e65dd6b18ada7d12c3cf00c4f50dcdbbf3877431a
SHA51261c00a7e74dfe98d37b2e5cc291f63525b3769cd2bcd7c2f2266eee524de0392df2d35e2579c10d3bb499d933768f0f5cb39af550dfc7dd25057dd0a5f0a8b88
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certsFilesize
15KB
MD50413ce1640231ee4efe308763359036a
SHA1969d9bbdc725f80e1d63263f95879bd5ddf063ba
SHA256314bccd3b78c9fe250a20c37b355846aec14de04a8935a30932ab5fada3f8ae5
SHA5121bd9d023a3929fde1fd08e5a20a71d5dca976b7445b1b5e79a2aac7531f209701a90d3cc82bb3bb3b7e7e943dbb34ff80e674ec4dbfb813ebdf054dad19b4d25
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.newFilesize
6.1MB
MD5524278d87e88da6a9979964d03401855
SHA1762826c868a433268a6be411c4b69e7715e2d759
SHA256cf397a08202640178172b9459aac8c667d89f26e305124437ac66ebc6de1809f
SHA5128f4c02b65ce2e6d6b6dba036a9e29b648d92adcd98502b3ad5e24d5c9ae2176c1024478fac3b45d55d62eccf29a9a8e8c277dc41582e2e096b74cebfc0b76a22
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.newFilesize
20.3MB
MD53f6bc87702fb34ecf6c7d716470ade02
SHA18972171fba7d3712f6c48cd91b3bc2f075922c3d
SHA25674086319ee8150df4c14a75bdb1ad44040b2f3df309dcc0f446e10714dff8ed2
SHA512f127e6213ded393a3dd7569bc039e076128c8f5bfbf052b821724ac9bf4103a3b66d16b9b877ab0373ca3ea9d3d7c03efafc42ac92d21baae20b27ed489b0d4f
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\stateFilesize
3KB
MD5a2d1cb7c78360dba1e79ecbd8d092269
SHA1c7d1230b2b22e7f606bfa46c348c3630f781ec27
SHA256e97f956bb5bf0d3f2d9744bd24a01363247583a3d4bb260d9d1bf09fa2b449b0
SHA51220b7e9d2acd762173174d32134466f80f1afe3bd36fef4f37ccca745942fbd66ad94e5aa9097aba49398ac3bb1b12dd3cffcdaff93b470b8d051140cdd03c234
-
C:\Windows\System\svchost.exeFilesize
5.2MB
MD55fd3d21a968f4b8a1577b5405ab1c36a
SHA1710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA2567ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5dbbd2d4458d7e8094846420da595dfc3
SHA1267cb47b904f14a519d2bd73abfdb30e1a06e1a6
SHA256e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4
SHA512480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f2dd68ab8e611f0143c6ad176f223ae9
SHA130f580175773f251a9572fe757de6eaef6844abc
SHA256f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7
SHA512f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c9e1a46a334bbf867474606ab7890f8f
SHA1f975f36b18fb73608b752c5fd3e5af5be780ee53
SHA256476da7b2266f9176d80a9228b6b5bbbd1b4a505428dbbcddf575fb4b43acce64
SHA5128948dde2697e53780d1547b6e48713739fad6a6fc2e8bd7b2be6b104524017c38b57f5c35721c5e96b742e562a7638584faec0d067324ef3035e2a2122a7e90f
-
memory/236-13-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/236-0-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/236-43-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/1600-181-0x000001FDECDD0000-0x000001FDECDD6000-memory.dmpFilesize
24KB
-
memory/1600-145-0x000001FDEC330000-0x000001FDEC340000-memory.dmpFilesize
64KB
-
memory/1600-144-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/1600-189-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/1600-154-0x000001FDEC330000-0x000001FDEC340000-memory.dmpFilesize
64KB
-
memory/1600-180-0x000001FDECDA0000-0x000001FDECDA8000-memory.dmpFilesize
32KB
-
memory/1600-179-0x000001FDECDF0000-0x000001FDECE0A000-memory.dmpFilesize
104KB
-
memory/1600-168-0x00007FF4BFB50000-0x00007FF4BFB60000-memory.dmpFilesize
64KB
-
memory/1600-155-0x000001FDEC330000-0x000001FDEC340000-memory.dmpFilesize
64KB
-
memory/1740-29-0x00000274774F0000-0x0000027477500000-memory.dmpFilesize
64KB
-
memory/1740-28-0x00000274774F0000-0x0000027477500000-memory.dmpFilesize
64KB
-
memory/1740-30-0x00000274774F0000-0x0000027477500000-memory.dmpFilesize
64KB
-
memory/1740-27-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/1740-33-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/1740-31-0x00000274774F0000-0x0000027477500000-memory.dmpFilesize
64KB
-
memory/1816-45-0x0000028F3F620000-0x0000028F3F630000-memory.dmpFilesize
64KB
-
memory/1816-70-0x0000028F3F620000-0x0000028F3F630000-memory.dmpFilesize
64KB
-
memory/1816-44-0x00007FF8FFDF0000-0x00007FF9008B2000-memory.dmpFilesize
10.8MB
-
memory/1816-73-0x00007FF8FFDF0000-0x00007FF9008B2000-memory.dmpFilesize
10.8MB
-
memory/1816-54-0x0000028F3F620000-0x0000028F3F630000-memory.dmpFilesize
64KB
-
memory/1816-57-0x0000028F3F620000-0x0000028F3F630000-memory.dmpFilesize
64KB
-
memory/1964-143-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/1964-243-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/1964-132-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/1964-191-0x000000002BCA0000-0x000000002C182000-memory.dmpFilesize
4.9MB
-
memory/2568-42-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2568-58-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2568-129-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/2568-77-0x00000000368E0000-0x0000000036DC2000-memory.dmpFilesize
4.9MB
-
memory/3172-166-0x00000132AF7B0000-0x00000132AF863000-memory.dmpFilesize
716KB
-
memory/3172-156-0x00000132AF4F0000-0x00000132AF500000-memory.dmpFilesize
64KB
-
memory/3172-165-0x00000132AF790000-0x00000132AF7AC000-memory.dmpFilesize
112KB
-
memory/3172-134-0x00000132AF4F0000-0x00000132AF500000-memory.dmpFilesize
64KB
-
memory/3172-167-0x00000132AF870000-0x00000132AF87A000-memory.dmpFilesize
40KB
-
memory/3172-182-0x00000132AFB20000-0x00000132AFB2A000-memory.dmpFilesize
40KB
-
memory/3172-177-0x00000132AFAF0000-0x00000132AFB0C000-memory.dmpFilesize
112KB
-
memory/3172-178-0x00000132AFAD0000-0x00000132AFADA000-memory.dmpFilesize
40KB
-
memory/3172-133-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/3172-190-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/3172-183-0x00000132AF4F0000-0x00000132AF500000-memory.dmpFilesize
64KB
-
memory/3660-12-0x000001701CAB0000-0x000001701CAC0000-memory.dmpFilesize
64KB
-
memory/3660-10-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/3660-9-0x0000017004580000-0x00000170045A2000-memory.dmpFilesize
136KB
-
memory/3660-11-0x000001701CAB0000-0x000001701CAC0000-memory.dmpFilesize
64KB
-
memory/3660-16-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/3948-269-0x00000142E7970000-0x00000142E7980000-memory.dmpFilesize
64KB
-
memory/3948-280-0x00007FF47FA80000-0x00007FF47FA90000-memory.dmpFilesize
64KB
-
memory/3948-257-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/3948-258-0x00000142E7970000-0x00000142E7980000-memory.dmpFilesize
64KB
-
memory/4008-296-0x000000003A380000-0x000000003A862000-memory.dmpFilesize
4.9MB
-
memory/4008-245-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/4008-259-0x0000000140000000-0x0000000140636000-memory.dmpFilesize
6.2MB
-
memory/4488-69-0x0000021356010000-0x0000021356020000-memory.dmpFilesize
64KB
-
memory/4488-56-0x00007FF8FFDF0000-0x00007FF9008B2000-memory.dmpFilesize
10.8MB
-
memory/4488-60-0x0000021356010000-0x0000021356020000-memory.dmpFilesize
64KB
-
memory/4488-59-0x0000021356010000-0x0000021356020000-memory.dmpFilesize
64KB
-
memory/4488-72-0x0000021356010000-0x0000021356020000-memory.dmpFilesize
64KB
-
memory/4488-76-0x00007FF8FFDF0000-0x00007FF9008B2000-memory.dmpFilesize
10.8MB
-
memory/4772-130-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/4772-126-0x0000000140000000-0x000000014015E400-memory.dmpFilesize
1.4MB
-
memory/4936-248-0x000001CFB8EB0000-0x000001CFB8EC0000-memory.dmpFilesize
64KB
-
memory/4936-247-0x000001CFB8EB0000-0x000001CFB8EC0000-memory.dmpFilesize
64KB
-
memory/4936-246-0x00007FF900150000-0x00007FF900C12000-memory.dmpFilesize
10.8MB
-
memory/4936-270-0x000001CFB8EB0000-0x000001CFB8EC0000-memory.dmpFilesize
64KB
-
memory/4936-279-0x00007FF4DE7D0000-0x00007FF4DE7E0000-memory.dmpFilesize
64KB