Analysis
-
max time kernel
50s -
max time network
23s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-05-2024 21:56
Behavioral task
behavioral1
Sample
ldr_37Q9.exe
Resource
win11-20240508-en
General
-
Target
ldr_37Q9.exe
-
Size
22.8MB
-
MD5
f775faca16d1b2838c5791143b8922df
-
SHA1
458cda4c1ac20baef0b78e1e825db67208375cb4
-
SHA256
7e2d0dde21a16920961db184e4b6e8a7c9632ab648bb64c0121d995181f385cf
-
SHA512
15743e0d941684897c4703b1738aeb6cdb8e25f9a1cd529d82828f85d9efb37a111581d25db27464c89ad1bb99e043dea143448614077c306b0b98ae1fa77bae
-
SSDEEP
393216:MUfnewiuTWW//yUcTCCnfk5M60cr0zCLRUJhmeA71q983HgROYx5OJ5b:MGnFlWW/u1nMn0cr0zI1qy3HgROHJt
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
ldr_37Q9.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ldr_37Q9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
ldr_37q9.exe ldr_PjOE.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools ldr_37q9.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools ldr_PjOE.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ldr_37Q9.exeicsys.icn.exespoolsv.exeexplorer.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ldr_37Q9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ldr_37Q9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 7 IoCs
Processes:
ldr_37q9.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeldr_PjOE.exepid process 1740 ldr_37q9.exe 3688 icsys.icn.exe 5024 explorer.exe 4984 spoolsv.exe 4316 svchost.exe 4916 spoolsv.exe 3200 ldr_PjOE.exe -
Loads dropped DLL 2 IoCs
Processes:
ldr_37q9.exe ldr_PjOE.exepid process 1740 ldr_37q9.exe 3200 ldr_PjOE.exe -
Processes:
resource yara_rule behavioral1/memory/1448-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\Themes\icsys.icn.exe themida behavioral1/memory/3688-12-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral1/memory/5024-22-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral1/memory/4984-31-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral1/memory/4316-40-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/4916-45-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/4916-50-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3688-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1448-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/4984-52-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/5024-66-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/4316-67-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Processes:
ldr_37Q9.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ldr_37Q9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
ldr_37Q9.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1448 ldr_37Q9.exe 3688 icsys.icn.exe 5024 explorer.exe 4984 spoolsv.exe 4316 svchost.exe 4916 spoolsv.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
ldr_37q9.exe ldr_PjOE.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN ldr_37q9.exe File opened (read-only) \??\VBoxMiniRdrDN ldr_PjOE.exe -
Drops file in Windows directory 4 IoCs
Processes:
ldr_37Q9.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ldr_37Q9.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ldr_37Q9.exeicsys.icn.exepid process 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 3688 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 5024 explorer.exe 4316 svchost.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ldr_37Q9.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeMiniSearchHost.exepid process 1448 ldr_37Q9.exe 1448 ldr_37Q9.exe 3688 icsys.icn.exe 3688 icsys.icn.exe 5024 explorer.exe 5024 explorer.exe 4984 spoolsv.exe 4984 spoolsv.exe 4316 svchost.exe 4316 svchost.exe 4916 spoolsv.exe 4916 spoolsv.exe 2572 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
ldr_37Q9.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeldr_37q9.exedescription pid process target process PID 1448 wrote to memory of 1740 1448 ldr_37Q9.exe ldr_37q9.exe PID 1448 wrote to memory of 1740 1448 ldr_37Q9.exe ldr_37q9.exe PID 1448 wrote to memory of 3688 1448 ldr_37Q9.exe icsys.icn.exe PID 1448 wrote to memory of 3688 1448 ldr_37Q9.exe icsys.icn.exe PID 1448 wrote to memory of 3688 1448 ldr_37Q9.exe icsys.icn.exe PID 3688 wrote to memory of 5024 3688 icsys.icn.exe explorer.exe PID 3688 wrote to memory of 5024 3688 icsys.icn.exe explorer.exe PID 3688 wrote to memory of 5024 3688 icsys.icn.exe explorer.exe PID 5024 wrote to memory of 4984 5024 explorer.exe spoolsv.exe PID 5024 wrote to memory of 4984 5024 explorer.exe spoolsv.exe PID 5024 wrote to memory of 4984 5024 explorer.exe spoolsv.exe PID 4984 wrote to memory of 4316 4984 spoolsv.exe svchost.exe PID 4984 wrote to memory of 4316 4984 spoolsv.exe svchost.exe PID 4984 wrote to memory of 4316 4984 spoolsv.exe svchost.exe PID 4316 wrote to memory of 4916 4316 svchost.exe spoolsv.exe PID 4316 wrote to memory of 4916 4316 svchost.exe spoolsv.exe PID 4316 wrote to memory of 4916 4316 svchost.exe spoolsv.exe PID 1740 wrote to memory of 3200 1740 ldr_37q9.exe ldr_PjOE.exe PID 1740 wrote to memory of 3200 1740 ldr_37q9.exe ldr_PjOE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ldr_37Q9.exe"C:\Users\Admin\AppData\Local\Temp\ldr_37Q9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\ldr_37q9.exec:\users\admin\appdata\local\temp\ldr_37q9.exe2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldr_PjOE.exe"ldr_PjOE.exe" "c:\users\admin\appdata\local\temp\ldr_37q9.exe "3⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD5df46eb1fe5d54a0521d9965203a4a9da
SHA1e977aae1bb82f3d57267ead3b91df3d82d6d50c6
SHA2566076a9ea8f52f5ad109fbe29f955ee052f626b22ee45366bfa83f70706744b1d
SHA5125bc5f8d247ba164f1af6f4ae902906568a4e9baf05c9782d999e537730d8cfe443daac6f44aa246f27e9678237a4b57a7e8411e3c4fbe88e943525cdb2ae239e
-
C:\Users\Admin\AppData\Local\Temp\ldr_37q9.exeFilesize
20.3MB
MD5b0caecdef6da0e989fc5d545af92c8f2
SHA1ad155c304a90781bdeaa4e82298a81602a469b86
SHA25698a47a2151c6e3dc9a0d44aacf2681c022d2edb032a76c2a427ee41d99b44651
SHA512535f59e26acfaf011baf8cb2462bb2e7156c9be6c4b9c8fe3074474158821047ac0135443e3c03b5a883c76f369402e27f2e643d7b44137a4553ad9128318794
-
C:\Users\Admin\AppData\Local\Temp\ldr_PjOE.exeFilesize
19.0MB
MD5fd540d5d8315371f3e9a2012fe748f27
SHA19d5315512258da692709581ef4341eccdce21308
SHA2568329f1f5752c277742bd5ac8307a33e7963e167e7eda61e47210c264ab78c24f
SHA512fbb807273b1aa3db4c168b344d9c9899bac6859ab2e68f388367118e6b5e977cba045ffaba91e9288215ca04ce6a9b3dacc2fd41a2ad5edc2de3e78de72463c7
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD5d4c793412dd24ff5cf0c33106929aefd
SHA1d3d76e235dd976c0ac6563a52998431adff8f959
SHA25613396a49857ffac0f9855e952eab9ef7091eea604222d78a78bab66b55265189
SHA512eca15629d7e1a04f3516471788a6264fdf5b8245fdb121f6a1424c88d75bce4b965aa5331404c85741a500741febe7ef0a46e04b753562971ff9952ad2be2b6b
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
2.5MB
MD5b523ef40a4446533e23e153d02f873cb
SHA1c1612e4a89791ad234d6de39cdb5db8df7167801
SHA2567916937369a7266aa46a0a58258320a6764be18b745f08ab4356b8974abe63b9
SHA5121941af9170687229b38a98c4a1cab9096a3b9409b027bca3e67a7cd158bde5dc2099f1c945fa1882ff1a1edb6ac50f49fbc61020334f7d2f4982734c6829435b
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD5c92ec2b7c18e66be75cfb1d6f624de80
SHA146d8a6219b09f52b5e24461143860ed4e51990d5
SHA25626d230d5ecfbcf5d04cf46725002958c662682240c63bf45762ff5b189ad12fa
SHA512825c8b391b1f2e5a535b8245f7f74feabf600f42efd0ffdae2da2d77c96dfbb2cd9df1ebb9c661ff2c17084770b8d959bc6b19361c75b50bc05f0634975767da
-
C:\Windows\Resources\svchost.exeFilesize
2.5MB
MD56477082b716cdd2b2f18bbd680625fac
SHA10c574851ac441999daf8e54be5fd5af5962c67bd
SHA2564a78f129a94ef9260afaf1fdc5fe8aab235a6acd0141e6fb7ff44672f68d450f
SHA5129785e5f5402a9c7ef8136d992dcb7b5963e71a2cf280dd1cbba7c26dd848e7ddce4f80df52c8d6722c807972bd705e7548eef9ad2dda05168be0709da1741d63
-
memory/1448-56-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1448-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1448-1-0x00000000773F6000-0x00000000773F8000-memory.dmpFilesize
8KB
-
memory/1740-58-0x00007FF62DB40000-0x00007FF62FE0E000-memory.dmpFilesize
34.8MB
-
memory/1740-62-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmpFilesize
64KB
-
memory/1740-71-0x00007FF62DB40000-0x00007FF62FE0E000-memory.dmpFilesize
34.8MB
-
memory/1740-57-0x00007FF81DE50000-0x00007FF81DE52000-memory.dmpFilesize
8KB
-
memory/3200-76-0x00007FF632B30000-0x00007FF634BF2000-memory.dmpFilesize
32.8MB
-
memory/3200-75-0x00007FF81DE50000-0x00007FF81DE52000-memory.dmpFilesize
8KB
-
memory/3200-80-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmpFilesize
64KB
-
memory/3200-84-0x00007FF632B30000-0x00007FF634BF2000-memory.dmpFilesize
32.8MB
-
memory/3200-97-0x00007FF632B30000-0x00007FF634BF2000-memory.dmpFilesize
32.8MB
-
memory/3688-12-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3688-54-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4316-67-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4316-40-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4916-50-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4916-45-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4984-52-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4984-31-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5024-22-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5024-66-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB