Analysis
-
max time kernel
599s -
max time network
625s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 14:47
Static task
static1
Behavioral task
behavioral1
Sample
oskzgaz.dll
Resource
win7-en-20210920
General
-
Target
oskzgaz.dll
-
Size
1014KB
-
MD5
7ab84786a2d5aca40ece131235ca7699
-
SHA1
43b15505f2b527443cf61a6b72f96ef13bad3eb2
-
SHA256
e307e37daab066ab1176b93c42fae837585001f3232c2c15545b9b703ab7cede
-
SHA512
cbd234c2765b3d6203d67550b9ea555fa9e581fe9483f3ac889bd58856b7866a523678c96c586486751c45252714109f13a981c0835395c9a9c0c33b1c478fff
Malware Config
Extracted
qakbot
402.363
notset
1632819510
196.217.156.63:995
120.150.218.241:995
95.77.223.148:443
185.250.148.74:443
181.118.183.94:443
105.198.236.99:443
140.82.49.12:443
37.210.152.224:995
89.101.97.139:443
81.241.252.59:2078
27.223.92.142:995
81.250.153.227:2222
73.151.236.31:443
47.22.148.6:443
122.11.220.212:2222
120.151.47.189:443
199.27.127.129:443
216.201.162.158:443
136.232.34.70:443
76.25.142.196:443
75.66.88.33:443
45.46.53.140:2222
173.25.166.81:443
103.148.120.144:443
173.21.10.71:2222
186.18.205.199:995
71.74.12.34:443
67.165.206.193:993
47.40.196.233:2222
68.204.7.158:443
24.229.150.54:995
109.12.111.14:443
177.130.82.197:2222
72.252.201.69:443
24.55.112.61:443
24.139.72.117:443
187.156.138.172:443
71.80.168.245:443
82.77.137.101:995
173.234.155.233:443
75.188.35.168:443
5.238.149.235:61202
73.77.87.137:443
182.176.112.182:443
96.37.113.36:993
162.244.227.34:443
92.59.35.196:2222
196.218.227.241:995
68.207.102.78:443
2.188.27.77:443
189.210.115.207:443
181.163.96.53:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1692 regsvr32.exe -
Drops file in System32 directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-01-0c-8d-8f-9f\WpadDecisionTime = 202263e0d4ccd701 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\a86b0a6b = 859f8e2ff67c527a12a4648c965618bb42a17e3ac46f27ad837e24247ae959265a4a3f2ffe4a9f08c7691d578d9542f2 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\d56345e1 = 46c54ad05c206aeee0291c7aa9347ed0813f8a16e5d41f6a79ea42311b73bd0fd4f9a7c8b16a1bb11985287b explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\27099d3c = 6f453be52fee7722a282e011041a7636f81182dae7726f28cd07a0e6f48d68ec42b1b9c06ec8e8798cd5616463ab310ca55756f658f218878dd50abd92870bb2c9e5b0744cca34636a20e557a465e9c5b727f3ea8f01fbd79657e005e6820c42c8a7cbd796eb549f5c3473578cb9856fa8c9bae0ed1a0f419a89e25576c9 explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-01-0c-8d-8f-9f explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-01-0c-8d-8f-9f\WpadDetectedUrl explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-01-0c-8d-8f-9f\WpadDecisionTime = e05beeb5d4ccd701 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\27099d3c = 6f4532e52fee7722a282e15b04147136fa118ddcae746522c509a1d0d31712d97fd9d126eef1f11a493aced7e0fd983c0532b01243ecd7362ac949437bb8ebcd21813cc3ee06c1dc61da72ab9b97561f515d30feb53b9abb85d6db929aab581996aa7ee2b4297f1ac7868a0a2f930671f9b5783528 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{260E7B95-D308-47EC-A05C-9E6F9F2AFC92} explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{260E7B95-D308-47EC-A05C-9E6F9F2AFC92}\WpadDecisionTime = e05beeb5d4ccd701 explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{260E7B95-D308-47EC-A05C-9E6F9F2AFC92}\WpadNetworkName = "Network 3" explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\aa2a2a17 = 2dc62b48e54e39f1b2a570d5c2c22fd880213c6107d1aedfe9ee6caea91530c4910ec3ff4ddfbeebf5a154dff1a59297e0a1a54feee12054ee explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{260E7B95-D308-47EC-A05C-9E6F9F2AFC92}\WpadDecision = "0" explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\10d76d0e = 14242bbf81de40b593189b11ae78100cddd04566fe417412944c59f38f4117c37fb18381de23ec99f921f963879b961435d308447010df5f79986159701f1cf812273588ab0895fd67380c18ca8979 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{260E7B95-D308-47EC-A05C-9E6F9F2AFC92}\WpadDecisionReason = "1" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-01-0c-8d-8f-9f\WpadDecision = "0" explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0104000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\27099d3c = 6f4532e52fee7722a282e15b04147136fa118ddcae746523cd0fa5d0d31712d97fd9d126eef1f11a493aced7e0fd983c0532b01243ecd7362ac949437bb8ebcd21813cc3ee06c1dc61da72ab9b97561f515d30feb53b9abb85d6db929aab581996aa7ee2b4297f1ac7868a0a2f930671f9b5783528 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\27099d3c = 6f4525e52fee420d3cf6d5236e749187ec96972e70b7bc4b2ab8175c63b54f2e3499bfd5fe3bb4cd447e5ee2f4374cebbeafad6d97712e6ca8d14d4697908271a906c463c81d8b76fffc39f109f6c7addf92503a676ac7e50e5a31345e9288da explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\27099d3c = 6f4532e52fee7722a282e15b04147136fa118ddcae746522cb0aa7d0d31712d97fd9d126eef1f11a493aced7e0fd983c0532b01243ecd7362ac949437bb8ebcd21813cc3ee06c1dc61da72ab9b97561f515d30feb53b9abb85d6db929aab581996aa7ee2b4297f1ac7868a0a2f930671f9b5783528 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0104000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xrgtrtdiudpr explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\12964d72 = 665909d6f298e0bd14eceb5f8f8f6b05865359d8951cb87457f2b391e8517a117c931c8cf3874c7e44328a050792058265df68b7f0efd875291666657bd4ca065b04b425b46cd5038f0420235966c834f500bf7934a63109bfdf65a9c0a8952d4843541295a077724ee101342cc809ae27400a0c07db7c59e1a0f5ccce5c721fe2105aa4677d312f4083f5f2828582b2b87b3350c641c7151ee6e31caa27968006d1ac698a04e762db15083a4e7918d6f724112aba8a6a83c933cfdc2c335b7a5245bc7eac77c930aaf25606 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\6ddf2284 = d0d2da773947eba0729aabd9b1fff3936d1507a9849e84127c explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xrgtrtdiudpr\5840f2ca = eade1496fd69ef8f591276e2c99f369dcff39257dad5f74860b5eb7b7413f577868dd1ec4ed50dfceba4824a49fd290c854953b27a6ac9ed694a4bf9cff36205621184ac0420ab6af8297559d8ef21a33dce266bd8e4f5e617c8360afdf2045597a1a138a197cb951cbc210dcc16 explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{260E7B95-D308-47EC-A05C-9E6F9F2AFC92}\46-01-0c-8d-8f-9f explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-01-0c-8d-8f-9f\WpadDecisionReason = "1" explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{260E7B95-D308-47EC-A05C-9E6F9F2AFC92}\WpadDecisionTime = 202263e0d4ccd701 explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 756 rundll32.exe 1692 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 756 rundll32.exe 1692 regsvr32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 932 wrote to memory of 756 932 rundll32.exe rundll32.exe PID 932 wrote to memory of 756 932 rundll32.exe rundll32.exe PID 932 wrote to memory of 756 932 rundll32.exe rundll32.exe PID 932 wrote to memory of 756 932 rundll32.exe rundll32.exe PID 932 wrote to memory of 756 932 rundll32.exe rundll32.exe PID 932 wrote to memory of 756 932 rundll32.exe rundll32.exe PID 932 wrote to memory of 756 932 rundll32.exe rundll32.exe PID 756 wrote to memory of 592 756 rundll32.exe explorer.exe PID 756 wrote to memory of 592 756 rundll32.exe explorer.exe PID 756 wrote to memory of 592 756 rundll32.exe explorer.exe PID 756 wrote to memory of 592 756 rundll32.exe explorer.exe PID 756 wrote to memory of 592 756 rundll32.exe explorer.exe PID 756 wrote to memory of 592 756 rundll32.exe explorer.exe PID 592 wrote to memory of 1152 592 explorer.exe schtasks.exe PID 592 wrote to memory of 1152 592 explorer.exe schtasks.exe PID 592 wrote to memory of 1152 592 explorer.exe schtasks.exe PID 592 wrote to memory of 1152 592 explorer.exe schtasks.exe PID 1040 wrote to memory of 1536 1040 taskeng.exe regsvr32.exe PID 1040 wrote to memory of 1536 1040 taskeng.exe regsvr32.exe PID 1040 wrote to memory of 1536 1040 taskeng.exe regsvr32.exe PID 1040 wrote to memory of 1536 1040 taskeng.exe regsvr32.exe PID 1040 wrote to memory of 1536 1040 taskeng.exe regsvr32.exe PID 1536 wrote to memory of 1692 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1692 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1692 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1692 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1692 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1692 1536 regsvr32.exe regsvr32.exe PID 1536 wrote to memory of 1692 1536 regsvr32.exe regsvr32.exe PID 1692 wrote to memory of 1844 1692 regsvr32.exe explorer.exe PID 1692 wrote to memory of 1844 1692 regsvr32.exe explorer.exe PID 1692 wrote to memory of 1844 1692 regsvr32.exe explorer.exe PID 1692 wrote to memory of 1844 1692 regsvr32.exe explorer.exe PID 1692 wrote to memory of 1844 1692 regsvr32.exe explorer.exe PID 1692 wrote to memory of 1844 1692 regsvr32.exe explorer.exe PID 1844 wrote to memory of 1948 1844 explorer.exe reg.exe PID 1844 wrote to memory of 1948 1844 explorer.exe reg.exe PID 1844 wrote to memory of 1948 1844 explorer.exe reg.exe PID 1844 wrote to memory of 1948 1844 explorer.exe reg.exe PID 1844 wrote to memory of 1116 1844 explorer.exe reg.exe PID 1844 wrote to memory of 1116 1844 explorer.exe reg.exe PID 1844 wrote to memory of 1116 1844 explorer.exe reg.exe PID 1844 wrote to memory of 1116 1844 explorer.exe reg.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\oskzgaz.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\oskzgaz.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn giplfgz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\oskzgaz.dll\"" /SC ONCE /Z /ST 14:46 /ET 14:584⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {165B0764-79EF-48A8-BE43-DD14E5820219} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\oskzgaz.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\oskzgaz.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hqxdmyldgiu" /d "0"5⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Rrswreuavei" /d "0"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oskzgaz.dllMD5
7ab84786a2d5aca40ece131235ca7699
SHA143b15505f2b527443cf61a6b72f96ef13bad3eb2
SHA256e307e37daab066ab1176b93c42fae837585001f3232c2c15545b9b703ab7cede
SHA512cbd234c2765b3d6203d67550b9ea555fa9e581fe9483f3ac889bd58856b7866a523678c96c586486751c45252714109f13a981c0835395c9a9c0c33b1c478fff
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\oskzgaz.dllMD5
7ab84786a2d5aca40ece131235ca7699
SHA143b15505f2b527443cf61a6b72f96ef13bad3eb2
SHA256e307e37daab066ab1176b93c42fae837585001f3232c2c15545b9b703ab7cede
SHA512cbd234c2765b3d6203d67550b9ea555fa9e581fe9483f3ac889bd58856b7866a523678c96c586486751c45252714109f13a981c0835395c9a9c0c33b1c478fff
-
memory/592-64-0x00000000000B0000-0x00000000000B2000-memory.dmpFilesize
8KB
-
memory/592-68-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/592-67-0x00000000744D1000-0x00000000744D3000-memory.dmpFilesize
8KB
-
memory/592-65-0x0000000000000000-mapping.dmp
-
memory/756-59-0x00000000004E0000-0x0000000000501000-memory.dmpFilesize
132KB
-
memory/756-62-0x00000000004A0000-0x00000000004D1000-memory.dmpFilesize
196KB
-
memory/756-63-0x00000000004E0000-0x0000000000501000-memory.dmpFilesize
132KB
-
memory/756-61-0x00000000004E0000-0x0000000000501000-memory.dmpFilesize
132KB
-
memory/756-60-0x00000000004E0000-0x0000000000501000-memory.dmpFilesize
132KB
-
memory/756-58-0x00000000004E0000-0x0000000000501000-memory.dmpFilesize
132KB
-
memory/756-57-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/756-54-0x0000000000000000-mapping.dmp
-
memory/756-56-0x0000000001CE0000-0x0000000001DE2000-memory.dmpFilesize
1.0MB
-
memory/756-55-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1116-89-0x0000000000000000-mapping.dmp
-
memory/1152-69-0x0000000000000000-mapping.dmp
-
memory/1536-71-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmpFilesize
8KB
-
memory/1536-70-0x0000000000000000-mapping.dmp
-
memory/1692-76-0x0000000000470000-0x0000000000572000-memory.dmpFilesize
1.0MB
-
memory/1692-77-0x0000000000B90000-0x0000000000BB1000-memory.dmpFilesize
132KB
-
memory/1692-78-0x0000000000B90000-0x0000000000BB1000-memory.dmpFilesize
132KB
-
memory/1692-79-0x0000000000B90000-0x0000000000BB1000-memory.dmpFilesize
132KB
-
memory/1692-80-0x0000000000B90000-0x0000000000BB1000-memory.dmpFilesize
132KB
-
memory/1692-81-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1692-82-0x0000000000B90000-0x0000000000BB1000-memory.dmpFilesize
132KB
-
memory/1692-73-0x0000000000000000-mapping.dmp
-
memory/1844-84-0x0000000000000000-mapping.dmp
-
memory/1844-90-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/1948-88-0x0000000000000000-mapping.dmp