Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-12-2021 11:24
Static task
static1
Behavioral task
behavioral1
Sample
49f570914fa998c08360d461a5a3f03d.exe
Resource
win7-en-20211208
General
-
Target
49f570914fa998c08360d461a5a3f03d.exe
-
Size
5.4MB
-
MD5
49f570914fa998c08360d461a5a3f03d
-
SHA1
e0f2ba1960f68f7abbc70a12f4bc7a5a2b706389
-
SHA256
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b
-
SHA512
e7da6b422d5f1a9edbd57ab6acf8bcf9916cd6f6e1cc0c3d39f51617c7bd4c3ecb03abf0898d0cd9055c4a14fae13b7f41962648bf2c5d06e953e98085b98d18
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 868 WScript.exe 14 868 WScript.exe 15 868 WScript.exe 16 868 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
oxgoad.exepalmusvp.exeDpEditor.exepid process 528 oxgoad.exe 520 palmusvp.exe 1756 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
palmusvp.exeoxgoad.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oxgoad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oxgoad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 10 IoCs
Processes:
49f570914fa998c08360d461a5a3f03d.exeoxgoad.exepalmusvp.exeDpEditor.exepid process 1900 49f570914fa998c08360d461a5a3f03d.exe 1900 49f570914fa998c08360d461a5a3f03d.exe 528 oxgoad.exe 1900 49f570914fa998c08360d461a5a3f03d.exe 528 oxgoad.exe 520 palmusvp.exe 520 palmusvp.exe 528 oxgoad.exe 1756 DpEditor.exe 1756 DpEditor.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida \Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida \Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida \Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida \Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida \Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida behavioral1/memory/520-71-0x0000000001290000-0x0000000001968000-memory.dmp themida behavioral1/memory/528-73-0x0000000001160000-0x0000000001843000-memory.dmp themida behavioral1/memory/520-72-0x0000000001290000-0x0000000001968000-memory.dmp themida behavioral1/memory/520-74-0x0000000001290000-0x0000000001968000-memory.dmp themida behavioral1/memory/528-75-0x0000000001160000-0x0000000001843000-memory.dmp themida behavioral1/memory/520-76-0x0000000001290000-0x0000000001968000-memory.dmp themida behavioral1/memory/528-77-0x0000000001160000-0x0000000001843000-memory.dmp themida behavioral1/memory/528-78-0x0000000001160000-0x0000000001843000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1756-89-0x00000000001F0000-0x00000000008D3000-memory.dmp themida behavioral1/memory/1756-90-0x00000000001F0000-0x00000000008D3000-memory.dmp themida behavioral1/memory/1756-92-0x00000000001F0000-0x00000000008D3000-memory.dmp themida behavioral1/memory/1756-91-0x00000000001F0000-0x00000000008D3000-memory.dmp themida -
Processes:
palmusvp.exeoxgoad.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA palmusvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oxgoad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
oxgoad.exepalmusvp.exeDpEditor.exepid process 528 oxgoad.exe 520 palmusvp.exe 1756 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
49f570914fa998c08360d461a5a3f03d.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 49f570914fa998c08360d461a5a3f03d.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 49f570914fa998c08360d461a5a3f03d.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 49f570914fa998c08360d461a5a3f03d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
palmusvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString palmusvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1756 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
palmusvp.exeoxgoad.exeDpEditor.exepid process 520 palmusvp.exe 528 oxgoad.exe 1756 DpEditor.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
49f570914fa998c08360d461a5a3f03d.exepalmusvp.exeoxgoad.exedescription pid process target process PID 1900 wrote to memory of 528 1900 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 1900 wrote to memory of 528 1900 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 1900 wrote to memory of 528 1900 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 1900 wrote to memory of 528 1900 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 1900 wrote to memory of 528 1900 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 1900 wrote to memory of 528 1900 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 1900 wrote to memory of 528 1900 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 1900 wrote to memory of 520 1900 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 1900 wrote to memory of 520 1900 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 1900 wrote to memory of 520 1900 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 1900 wrote to memory of 520 1900 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 1900 wrote to memory of 520 1900 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 1900 wrote to memory of 520 1900 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 1900 wrote to memory of 520 1900 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 520 wrote to memory of 1660 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 1660 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 1660 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 1660 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 1660 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 1660 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 1660 520 palmusvp.exe WScript.exe PID 528 wrote to memory of 1756 528 oxgoad.exe DpEditor.exe PID 528 wrote to memory of 1756 528 oxgoad.exe DpEditor.exe PID 528 wrote to memory of 1756 528 oxgoad.exe DpEditor.exe PID 528 wrote to memory of 1756 528 oxgoad.exe DpEditor.exe PID 528 wrote to memory of 1756 528 oxgoad.exe DpEditor.exe PID 528 wrote to memory of 1756 528 oxgoad.exe DpEditor.exe PID 528 wrote to memory of 1756 528 oxgoad.exe DpEditor.exe PID 520 wrote to memory of 868 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 868 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 868 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 868 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 868 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 868 520 palmusvp.exe WScript.exe PID 520 wrote to memory of 868 520 palmusvp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49f570914fa998c08360d461a5a3f03d.exe"C:\Users\Admin\AppData\Local\Temp\49f570914fa998c08360d461a5a3f03d.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe"C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe"C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afhslrymv.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qtsaeihbavco.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\afhslrymv.vbsMD5
de89800b650b31c7f43ecf766c94a6d2
SHA1076a7ec156d61c47d340822d92b7d5dd8deef0d9
SHA256e32af6646d5e707965b167a57d2530da638bfe874ba26bba149bdb6f252ff4d3
SHA512b6a43605052b32dd374e14abdb54abb9def4986469ec690ef9e326e9b0dfacd6999cb9979b2a9b06eb4c7a85e6b7a1f86316ac56f918c5daebcac958ff9f4b2c
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
C:\Users\Admin\AppData\Local\Temp\qtsaeihbavco.vbsMD5
881c81a40342d378f7abbf9a33f6d140
SHA1a44c09820d75b39c650f47042a23915bac8ab2f6
SHA25692044b86f3c83ec1b5c62995c7e850dd474d7edde4235e51400dbe6fd67fee8f
SHA51264fbe6c3f125b82ccb28c5c88227aaa8c0e494e2087f710ac49d20c2415dfff7692b6c3997ec4a5b0b31be4951e22d53cc40400c71714d64c3769a47d6a042db
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
\Users\Admin\AppData\Local\Temp\nsdE7E0.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
memory/520-72-0x0000000001290000-0x0000000001968000-memory.dmpFilesize
6.8MB
-
memory/520-65-0x0000000000000000-mapping.dmp
-
memory/520-76-0x0000000001290000-0x0000000001968000-memory.dmpFilesize
6.8MB
-
memory/520-71-0x0000000001290000-0x0000000001968000-memory.dmpFilesize
6.8MB
-
memory/520-74-0x0000000001290000-0x0000000001968000-memory.dmpFilesize
6.8MB
-
memory/528-78-0x0000000001160000-0x0000000001843000-memory.dmpFilesize
6.9MB
-
memory/528-73-0x0000000001160000-0x0000000001843000-memory.dmpFilesize
6.9MB
-
memory/528-77-0x0000000001160000-0x0000000001843000-memory.dmpFilesize
6.9MB
-
memory/528-75-0x0000000001160000-0x0000000001843000-memory.dmpFilesize
6.9MB
-
memory/528-58-0x0000000000000000-mapping.dmp
-
memory/868-93-0x0000000000000000-mapping.dmp
-
memory/1660-79-0x0000000000000000-mapping.dmp
-
memory/1756-83-0x0000000000000000-mapping.dmp
-
memory/1756-89-0x00000000001F0000-0x00000000008D3000-memory.dmpFilesize
6.9MB
-
memory/1756-90-0x00000000001F0000-0x00000000008D3000-memory.dmpFilesize
6.9MB
-
memory/1756-92-0x00000000001F0000-0x00000000008D3000-memory.dmpFilesize
6.9MB
-
memory/1756-91-0x00000000001F0000-0x00000000008D3000-memory.dmpFilesize
6.9MB
-
memory/1900-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB