Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
18-12-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
e83517fe9b3f52c6e737fcc19419a8e5.exe
Resource
win7-en-20211208
General
-
Target
e83517fe9b3f52c6e737fcc19419a8e5.exe
-
Size
5.4MB
-
MD5
e83517fe9b3f52c6e737fcc19419a8e5
-
SHA1
04c6caae34bd9d7cac2377279e51371bd24e418e
-
SHA256
75aa979f8875e3c4586d311d27612058c99e975649cd4ea26d0ee43d98888c8e
-
SHA512
ca9f942efda428e73bc27927545b5cef8c001944ae801bff8c038bd77582c2a3007b6585bad313b05239f63783d81fda4faafd67bd82095fcb4ec395be6d5d41
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 1972 WScript.exe 14 1972 WScript.exe 15 1972 WScript.exe 16 1972 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
dehkan.exedipodevp.exeDpEditor.exepid process 652 dehkan.exe 1200 dipodevp.exe 1900 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DpEditor.exedehkan.exedipodevp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dehkan.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dehkan.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dipodevp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dipodevp.exe -
Loads dropped DLL 10 IoCs
Processes:
e83517fe9b3f52c6e737fcc19419a8e5.exedehkan.exedipodevp.exeDpEditor.exepid process 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe 652 dehkan.exe 652 dehkan.exe 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe 1200 dipodevp.exe 1200 dipodevp.exe 652 dehkan.exe 1900 DpEditor.exe 1900 DpEditor.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\faring\dehkan.exe themida C:\Users\Admin\AppData\Local\Temp\faring\dehkan.exe themida \Users\Admin\AppData\Local\Temp\faring\dehkan.exe themida C:\Users\Admin\AppData\Local\Temp\faring\dehkan.exe themida \Users\Admin\AppData\Local\Temp\faring\dipodevp.exe themida \Users\Admin\AppData\Local\Temp\faring\dipodevp.exe themida C:\Users\Admin\AppData\Local\Temp\faring\dipodevp.exe themida C:\Users\Admin\AppData\Local\Temp\faring\dipodevp.exe themida \Users\Admin\AppData\Local\Temp\faring\dipodevp.exe themida \Users\Admin\AppData\Local\Temp\faring\dehkan.exe themida behavioral1/memory/1200-71-0x0000000001340000-0x0000000001A0A000-memory.dmp themida behavioral1/memory/652-72-0x0000000000C10000-0x0000000001300000-memory.dmp themida behavioral1/memory/1200-73-0x0000000001340000-0x0000000001A0A000-memory.dmp themida behavioral1/memory/652-74-0x0000000000C10000-0x0000000001300000-memory.dmp themida behavioral1/memory/1200-75-0x0000000001340000-0x0000000001A0A000-memory.dmp themida behavioral1/memory/652-76-0x0000000000C10000-0x0000000001300000-memory.dmp themida behavioral1/memory/1200-77-0x0000000001340000-0x0000000001A0A000-memory.dmp themida behavioral1/memory/652-78-0x0000000000C10000-0x0000000001300000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1900-89-0x00000000002E0000-0x00000000009D0000-memory.dmp themida behavioral1/memory/1900-90-0x00000000002E0000-0x00000000009D0000-memory.dmp themida behavioral1/memory/1900-91-0x00000000002E0000-0x00000000009D0000-memory.dmp themida behavioral1/memory/1900-92-0x00000000002E0000-0x00000000009D0000-memory.dmp themida -
Processes:
dehkan.exedipodevp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dehkan.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dipodevp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
dehkan.exedipodevp.exeDpEditor.exepid process 652 dehkan.exe 1200 dipodevp.exe 1900 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e83517fe9b3f52c6e737fcc19419a8e5.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acledit.dll e83517fe9b3f52c6e737fcc19419a8e5.exe File created C:\Program Files (x86)\foler\olader\acppage.dll e83517fe9b3f52c6e737fcc19419a8e5.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll e83517fe9b3f52c6e737fcc19419a8e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dipodevp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dipodevp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dipodevp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1900 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
dehkan.exedipodevp.exeDpEditor.exepid process 652 dehkan.exe 1200 dipodevp.exe 1900 DpEditor.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
e83517fe9b3f52c6e737fcc19419a8e5.exedipodevp.exedehkan.exedescription pid process target process PID 1732 wrote to memory of 652 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dehkan.exe PID 1732 wrote to memory of 652 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dehkan.exe PID 1732 wrote to memory of 652 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dehkan.exe PID 1732 wrote to memory of 652 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dehkan.exe PID 1732 wrote to memory of 652 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dehkan.exe PID 1732 wrote to memory of 652 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dehkan.exe PID 1732 wrote to memory of 652 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dehkan.exe PID 1732 wrote to memory of 1200 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dipodevp.exe PID 1732 wrote to memory of 1200 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dipodevp.exe PID 1732 wrote to memory of 1200 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dipodevp.exe PID 1732 wrote to memory of 1200 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dipodevp.exe PID 1732 wrote to memory of 1200 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dipodevp.exe PID 1732 wrote to memory of 1200 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dipodevp.exe PID 1732 wrote to memory of 1200 1732 e83517fe9b3f52c6e737fcc19419a8e5.exe dipodevp.exe PID 1200 wrote to memory of 1660 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1660 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1660 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1660 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1660 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1660 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1660 1200 dipodevp.exe WScript.exe PID 652 wrote to memory of 1900 652 dehkan.exe DpEditor.exe PID 652 wrote to memory of 1900 652 dehkan.exe DpEditor.exe PID 652 wrote to memory of 1900 652 dehkan.exe DpEditor.exe PID 652 wrote to memory of 1900 652 dehkan.exe DpEditor.exe PID 652 wrote to memory of 1900 652 dehkan.exe DpEditor.exe PID 652 wrote to memory of 1900 652 dehkan.exe DpEditor.exe PID 652 wrote to memory of 1900 652 dehkan.exe DpEditor.exe PID 1200 wrote to memory of 1972 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1972 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1972 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1972 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1972 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1972 1200 dipodevp.exe WScript.exe PID 1200 wrote to memory of 1972 1200 dipodevp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e83517fe9b3f52c6e737fcc19419a8e5.exe"C:\Users\Admin\AppData\Local\Temp\e83517fe9b3f52c6e737fcc19419a8e5.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\faring\dehkan.exe"C:\Users\Admin\AppData\Local\Temp\faring\dehkan.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\faring\dipodevp.exe"C:\Users\Admin\AppData\Local\Temp\faring\dipodevp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cjrtntkabtsc.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wwkuxoidy.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cjrtntkabtsc.vbsMD5
2c868d945a4962657e975f1bb1cdd957
SHA1dd0a78a6051239bd10e317cfddfef3a7fd8f86bd
SHA2560fe2651b742c550eec6dbd437115755087a1e89418db4194876db4b6bc966676
SHA51294b6ce97571ab50c03dfa1355ef4b895707570c7dc2f1cd5a4519d267aa4b7ec89f1f48c100a4a4c63e2beada4657451e75a90e97f08aa96c3b0be1e503e6694
-
C:\Users\Admin\AppData\Local\Temp\faring\dehkan.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
C:\Users\Admin\AppData\Local\Temp\faring\dehkan.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
C:\Users\Admin\AppData\Local\Temp\faring\dipodevp.exeMD5
a55279e83e6d459d64f3fd5d803617c9
SHA1ddab1265597cf8b90c4da9c81f591b82f8bfe982
SHA256d51968d83219b0cdcb31e48939904cac7747f19d083bf76681635c09fea74b0b
SHA512ed4137fcd31c1749d0f30c22ef2e96f876914e5bb629696c291a2c78d7b3daa9b994d4d4106b1a423e41ca0b71ab14e2419377541ce0516ac2a98c5226ba14a5
-
C:\Users\Admin\AppData\Local\Temp\faring\dipodevp.exeMD5
a55279e83e6d459d64f3fd5d803617c9
SHA1ddab1265597cf8b90c4da9c81f591b82f8bfe982
SHA256d51968d83219b0cdcb31e48939904cac7747f19d083bf76681635c09fea74b0b
SHA512ed4137fcd31c1749d0f30c22ef2e96f876914e5bb629696c291a2c78d7b3daa9b994d4d4106b1a423e41ca0b71ab14e2419377541ce0516ac2a98c5226ba14a5
-
C:\Users\Admin\AppData\Local\Temp\wwkuxoidy.vbsMD5
17cd4296d4a62ce7ea8ec465c758d8ae
SHA193e4e7949613321bb3856b4ea917650c53575e6c
SHA2561d1e4a622ad3d7b33001bec9007870a54ce4312fb2cc8e039ff49e8b367d69a1
SHA5124af4d25bd891364908ee34134133bf7142adb5c051435011a80577e4934d892e8401a3766ae48a7bec66cc2dacbb621a1b31a643e31344e3cff740468b5da683
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
\Users\Admin\AppData\Local\Temp\faring\dehkan.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
\Users\Admin\AppData\Local\Temp\faring\dehkan.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
\Users\Admin\AppData\Local\Temp\faring\dehkan.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
\Users\Admin\AppData\Local\Temp\faring\dipodevp.exeMD5
a55279e83e6d459d64f3fd5d803617c9
SHA1ddab1265597cf8b90c4da9c81f591b82f8bfe982
SHA256d51968d83219b0cdcb31e48939904cac7747f19d083bf76681635c09fea74b0b
SHA512ed4137fcd31c1749d0f30c22ef2e96f876914e5bb629696c291a2c78d7b3daa9b994d4d4106b1a423e41ca0b71ab14e2419377541ce0516ac2a98c5226ba14a5
-
\Users\Admin\AppData\Local\Temp\faring\dipodevp.exeMD5
a55279e83e6d459d64f3fd5d803617c9
SHA1ddab1265597cf8b90c4da9c81f591b82f8bfe982
SHA256d51968d83219b0cdcb31e48939904cac7747f19d083bf76681635c09fea74b0b
SHA512ed4137fcd31c1749d0f30c22ef2e96f876914e5bb629696c291a2c78d7b3daa9b994d4d4106b1a423e41ca0b71ab14e2419377541ce0516ac2a98c5226ba14a5
-
\Users\Admin\AppData\Local\Temp\faring\dipodevp.exeMD5
a55279e83e6d459d64f3fd5d803617c9
SHA1ddab1265597cf8b90c4da9c81f591b82f8bfe982
SHA256d51968d83219b0cdcb31e48939904cac7747f19d083bf76681635c09fea74b0b
SHA512ed4137fcd31c1749d0f30c22ef2e96f876914e5bb629696c291a2c78d7b3daa9b994d4d4106b1a423e41ca0b71ab14e2419377541ce0516ac2a98c5226ba14a5
-
\Users\Admin\AppData\Local\Temp\nsiDEDB.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
memory/652-78-0x0000000000C10000-0x0000000001300000-memory.dmpFilesize
6.9MB
-
memory/652-72-0x0000000000C10000-0x0000000001300000-memory.dmpFilesize
6.9MB
-
memory/652-74-0x0000000000C10000-0x0000000001300000-memory.dmpFilesize
6.9MB
-
memory/652-76-0x0000000000C10000-0x0000000001300000-memory.dmpFilesize
6.9MB
-
memory/652-58-0x0000000000000000-mapping.dmp
-
memory/1200-77-0x0000000001340000-0x0000000001A0A000-memory.dmpFilesize
6.8MB
-
memory/1200-73-0x0000000001340000-0x0000000001A0A000-memory.dmpFilesize
6.8MB
-
memory/1200-65-0x0000000000000000-mapping.dmp
-
memory/1200-75-0x0000000001340000-0x0000000001A0A000-memory.dmpFilesize
6.8MB
-
memory/1200-71-0x0000000001340000-0x0000000001A0A000-memory.dmpFilesize
6.8MB
-
memory/1660-79-0x0000000000000000-mapping.dmp
-
memory/1732-55-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB
-
memory/1900-83-0x0000000000000000-mapping.dmp
-
memory/1900-89-0x00000000002E0000-0x00000000009D0000-memory.dmpFilesize
6.9MB
-
memory/1900-90-0x00000000002E0000-0x00000000009D0000-memory.dmpFilesize
6.9MB
-
memory/1900-91-0x00000000002E0000-0x00000000009D0000-memory.dmpFilesize
6.9MB
-
memory/1900-92-0x00000000002E0000-0x00000000009D0000-memory.dmpFilesize
6.9MB
-
memory/1972-93-0x0000000000000000-mapping.dmp