Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-11-2021 08:23
Static task
static1
General
-
Target
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
-
Size
1023KB
-
MD5
34c80f81e518370f859cc9f2454e6d83
-
SHA1
dbb94e0f0a99558b8786a2c2ce3322ba281e7f9c
-
SHA256
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea
-
SHA512
6d458b21e8beb210a3a385a56fba3c362e9e74d1005a59a2a735ab593c8a298559b7fc96c32dc6e4659a64c3010c19436af6f499ad5ced84322ecbfa17222a8c
Malware Config
Extracted
xloader
2.5
rqan
http://www.cardboutiqueapp.com/rqan/
panda.wiki
gailkannamassage.com
ungravitystudio.com
coraggiomusicschool.com
51walkerstreetrippleside.com
infemax.store
mapara-foundation.net
elitespeedwaxs.com
manateeprint.com
thelocksmithtradeshow.com
phoenix-out-of-ashes.com
marionkgregory.store
abasketofwords.com
century21nokta.com
anthonyaarnold.com
forevermyanmar.com
ramashi.com
uniquecarbonbrush.com
packecco.com
appelnacrtl.quest
mayo-group.com
healthychefla.com
chuhaitalk.com
promoapp12.com
sergomosta.com
missuniversepr.com
onfinan.com
moyue27.com
miaocharge.com
hubmedia.digital
sarasota-pressurewashing.com
deliciousrecipe.xyz
rosalia-pilates-angers.com
qqsmt09.com
comercialjyv.com
ismarthings.com
b8ceex.com
reviewbyornex.online
familylovmix.com
wurzelwerk-sk.com
buratacoin.com
delocdinh.com
paraspikakasino.com
buyinsurance24.com
d1storesa.com
apollonfitnessvrn.club
tokofebri.store
cambabez.xyz
pointcon.net
digitalcoursepreneur.com
15dgj.xyz
mg-garage.com
claggs.com
yuezhong66.com
uvowtae.xyz
puutuisossa.quest
glitchpunks.art
haferssippe.quest
ucwykl.biz
finlandtwo.xyz
efterpisart.com
usbankofamerican.com
bamubusinesssolutions.com
lakshhomesbalram.info
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4524-120-0x0000000000000000-mapping.dmp xloader behavioral1/memory/4524-122-0x0000000072480000-0x00000000724A9000-memory.dmp xloader behavioral1/memory/4688-129-0x0000000000900000-0x0000000000929000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exepid process 3804 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pgkbuilv = "C:\\Users\\Public\\\\vliubkgP.url" 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
logagent.exehelp.exedescription pid process target process PID 4524 set thread context of 2872 4524 logagent.exe Explorer.EXE PID 4688 set thread context of 2872 4688 help.exe Explorer.EXE -
Drops file in Program Files directory 53 IoCs
Processes:
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exedescription ioc process File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe -
Drops file in Windows directory 1 IoCs
Processes:
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exedescription ioc process File opened for modification C:\Windows\svchost.com 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
logagent.exehelp.exepid process 4524 logagent.exe 4524 logagent.exe 4524 logagent.exe 4524 logagent.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe 4688 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2872 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
logagent.exehelp.exepid process 4524 logagent.exe 4524 logagent.exe 4524 logagent.exe 4688 help.exe 4688 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
logagent.exehelp.exedescription pid process Token: SeDebugPrivilege 4524 logagent.exe Token: SeDebugPrivilege 4688 help.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exeExplorer.EXEdescription pid process target process PID 4384 wrote to memory of 3804 4384 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe PID 4384 wrote to memory of 3804 4384 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe PID 4384 wrote to memory of 3804 4384 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe PID 3804 wrote to memory of 4524 3804 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe logagent.exe PID 3804 wrote to memory of 4524 3804 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe logagent.exe PID 3804 wrote to memory of 4524 3804 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe logagent.exe PID 3804 wrote to memory of 4524 3804 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe logagent.exe PID 3804 wrote to memory of 4524 3804 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe logagent.exe PID 3804 wrote to memory of 4524 3804 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe logagent.exe PID 2872 wrote to memory of 4688 2872 Explorer.EXE help.exe PID 2872 wrote to memory of 4688 2872 Explorer.EXE help.exe PID 2872 wrote to memory of 4688 2872 Explorer.EXE help.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe"C:\Users\Admin\AppData\Local\Temp\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exeMD5
a928d1866afcb0696d4ac43ceec12128
SHA155edbb8f5334194ab0345bd72b9cf58ddb384579
SHA2561aa28435e63887b1ee372f54ce2e926888d19f5d3d3ab4d35d39da4b5272d721
SHA51274c394e9dacf213a4ae81f7267c7979aad0e95c60affc50fd51a8c1d7edf8345444a2e8a6e6aaf9fe3d37a47a7e104158b8ae54eaa38aa4f29370d63e743594f
-
C:\Users\Admin\AppData\Local\Temp\3582-490\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exeMD5
a928d1866afcb0696d4ac43ceec12128
SHA155edbb8f5334194ab0345bd72b9cf58ddb384579
SHA2561aa28435e63887b1ee372f54ce2e926888d19f5d3d3ab4d35d39da4b5272d721
SHA51274c394e9dacf213a4ae81f7267c7979aad0e95c60affc50fd51a8c1d7edf8345444a2e8a6e6aaf9fe3d37a47a7e104158b8ae54eaa38aa4f29370d63e743594f
-
memory/2872-132-0x0000000005BC0000-0x0000000005D22000-memory.dmpFilesize
1.4MB
-
memory/2872-126-0x0000000005A70000-0x0000000005B73000-memory.dmpFilesize
1.0MB
-
memory/3804-115-0x0000000000000000-mapping.dmp
-
memory/3804-118-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/3804-119-0x00000000025A1000-0x00000000025B5000-memory.dmpFilesize
80KB
-
memory/4524-124-0x0000000004EE0000-0x0000000005200000-memory.dmpFilesize
3.1MB
-
memory/4524-121-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/4524-122-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/4524-125-0x0000000004CB0000-0x0000000004CC1000-memory.dmpFilesize
68KB
-
memory/4524-120-0x0000000000000000-mapping.dmp
-
memory/4688-127-0x0000000000000000-mapping.dmp
-
memory/4688-128-0x00000000012E0000-0x00000000012E7000-memory.dmpFilesize
28KB
-
memory/4688-129-0x0000000000900000-0x0000000000929000-memory.dmpFilesize
164KB
-
memory/4688-130-0x00000000032F0000-0x0000000003610000-memory.dmpFilesize
3.1MB
-
memory/4688-131-0x0000000000E30000-0x0000000000EC0000-memory.dmpFilesize
576KB